How to purge events from a specific vendor after a set period of time.

We are running into disk space issues on our OrionLog database. While we work through creating rules to reduce the amount of messages being stored we would like to purge all messages from a specific vendor after a set number of days. Does anyone have any experience with SQL or SWQL in order to remove records from the Orion Log database?

We do not want to reduce the overall number of days for retention for all records.

  • So the log DB is structured very differently than most traditional databases.  The whole thing is structured  based on the timestamps when the data came in and when a table gets big enough they cap it off and generate the next one as needed.   So a query to filter by anything except timestamps is going to be tricky and you are going to end up emptying a bunch of tables with random names then having to shrink them the actually get any disk back. 

  • Thank you for the info. Looks like we caught the issue in time to put in a global preprocessing rule stopping the further growth into danger territory. Time for a feature request to allow better granularity on retention storage of logs by node / vendor / machine type etc.Thinking

Reply Children
No Data