Soltra Edge 2.12 provides a tool that allows an admin level account the ability to remove old data from the system. This tool is called “Delete STIX”. This is a command line tool that can be run as often as needed or used as part of a cron job.
Delete STIX does have some pre-requisites to run effectively.
To execute the tool, you need to first review what data you have on your system.
To do this, go to “Search” and view the objects displayed on the page. Please take note of the approximate count of objects shown below the search box.
As you can see from the screenshot above, there are approximately 5000 objects on the appliance.
Next, it is important to note what date the data to be removed was added. To do this, select an object or a couple objects from “Search” and view their “On” date in “Object Detail”.
On the screenshot above, this object was added on 2/6/2019.
Now go to “Search” and use a search query to see how much data was added on 2/6/2019.
By using the key/value pair of “day:6 month:2” and searching, you are able to review the results and see how many objects were created on that date.
In order to remove all data from the system that was created on "2/6", launch the terminal so you can execute the delete STIX tool.
When launching terminal, you will SSH to the appliance and enter the following command
sudo edgectl deletestix -h
This command provides all options that “deletestix” can perform, including:
--olderthanwill delete STIX objects older than N days with the default being 90 days if nothing is specified. This means that any data older 90 days will be removed from your system. If you state
--olderthan 4, all data older than the last 4 days will be removed.
--interactiveruns this in the foreground
--noinputdoes not prompt the user for confirmation before the deletion of data
--helpshows the help screen above
The most common command is
--olderthan N days, which will remove old data.
Enter the following command:
sudo edgectl deletestix --olderthan 3 (this removes any data older than the last 3 days)
Select yes and take note of the warning that this will recalculate dashboard stats, search, and other metadata related to STIX objects.
The following message will appear.
Refresh the “Search” page to verify all data from "2/6" has been removed.
For more information, join the conversation in the Soltra Edge Forums at forums.soltra.com.