Highlighted
Absent Member.
Absent Member.
654 views

How to delete or purge excessive number of cases

Jump to solution

We recently had a rule accidentally create 260,000 cases and assign them to an administrator. We need a way to delete or purge all of them.

Using the Arcsight Console, we found that if we choose "Cases" under the Resources navigator, and then right-click and choose "Show Cases" we're able to see all of them and delete in batches. Unfortunately we can only delete 1000 cases at a time, the limit Arcsight console can display at one time. Deleting 1000 cases also takes several minutes, when done we manually have to select the next 1000 a cumbersome and slow process.

Is there a way we can delete 260,000 cases located in a single category?

Labels (1)
Tags (2)
0 Likes
Reply
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

Hi,

try from SQL

login as arcsight user

Select count(*) from arc_ resource where name like '<case name%>' and resource_type = '7';

delete from arc_resource where name like '<case name%>' and resource_type = '7';

requires manager service restart to reflect changes.

Regards

View solution in original post

6 Replies
Highlighted
Absent Member.
Absent Member.

Hi,

try from SQL

login as arcsight user

Select count(*) from arc_ resource where name like '<case name%>' and resource_type = '7';

delete from arc_resource where name like '<case name%>' and resource_type = '7';

requires manager service restart to reflect changes.

Regards

View solution in original post

Highlighted
Absent Member.
Absent Member.

Hi,

have you tried to delete the folder contains the 260,000?

-Dan

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I never deleted folder but I deleted unwanted cases manually.

Have you reached to ArcSight Support?

0 Likes
Reply
Highlighted
New Member.

This approach btw is documented in the HP/ArcSight knowledgebase!

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Thanks for the suggestions, I should have mentioned that we have an Express ESM so the DB is Oracle not MS SQL. I don't know if there's a way to manually run such a query against the Arcsight ESM's Oracle DB.

I haven't tried support yet, wanted to see if anyone else had ever had such an issue. I'm nervous about deleting the folder because it's one of the built-in folders.

I'll wait to see if anyone else has suggestions then call Arcsight on Monday if we haven't figure it out by then.

0 Likes
Reply
Highlighted
New Member.

No ArcSight product is based on MSSQL.

The instructions are for Oracle.

If you have Express based on Oracle, then just follow the procedures.

If you have Express on CORR-E, then well, I have never tried that. In that case it won't be Oracle and you better request an updated procedure from Support.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.