Back to Documentation

Delete STIX

Soltra Edge 2.12 provides a tool that allows an admin level account the ability to remove old data from the system. This tool is called “Delete STIX”. This is a command line tool that can be run as often as needed or used as part of a cron job. 

Delete STIX does have some pre-requisites to run effectively. 

  1. Your system must have free space to execute the tool. If you are running low on space, it is best to contact NC4 Soltra Support for assistance in expanding your drive or freeing up space prior to tool execution. 
  2. Post tool execution, the system will attempt to reclaim space on your appliance if free space is available.
  3. A re-index of your data and reallocation of your stats will occur post execution of the tool. 
  4. The deletion occurs on the date the data was added to Soltra Edge. For example, if you upload data that is three years old to your appliance yesterday, the data is one day old on your appliance. 
  5. Always follow best practice and make a backup/snapshot of your appliance before deleting any data or contact NC4 Soltra Support for assistance with backing up your data. 

To execute the tool, you need to first review what data you have on your system. 

To do this, go to “Search” and view the objects displayed on the page. Please take note of the approximate count of objects shown below the search box. 

 

 

As you can see from the screenshot above, there are approximately 5000 objects on the appliance. 

Next, it is important to note what date the data to be removed was added. To do this, select an object or a couple objects from “Search” and view their “On” date in “Object Detail”.

 

 

On the screenshot above, this object was added on 2/6/2019.

Now go to “Search” and use a search query to see how much data was added on 2/6/2019. 

By using the key/value pair of “day:6 month:2” and searching, you are able to review the results and see how many objects were created on that date.

 

 

In order to remove all data from the system that was created on "2/6", launch the terminal so you can execute the delete STIX tool. 

When launching terminal, you will SSH to the appliance and enter the following command

sudo edgectl deletestix -h

 

 

This command provides all options that “deletestix” can perform, including: 

  • --olderthan will delete STIX objects older than N days with the default being 90 days if nothing is specified. This means that any data older 90 days will be removed from your system. If you state --olderthan 4, all data older than the last 4 days will be removed. 
  • --interactive runs this in the foreground
  • --noinput does not prompt the user for confirmation before the deletion of data
  • --h or --help shows the help screen above

The most common command is --olderthan N days, which will remove old data.

Enter the following command:

sudo edgectl deletestix --olderthan 3 (this removes any data older than the last 3 days)

 

 

Select yes and take note of the warning that this will recalculate dashboard stats, search, and other metadata related to STIX objects. 

The following message will appear.

 

 

Refresh the “Search” page to verify all data from "2/6" has been removed.

 

 

 

 

For more information, join the conversation in the Soltra Edge Forums at forums.soltra.com.