We're feeding XSOAR with a lot of incidents. To avoid this, we created a job which deletes incidents each week. However, due to the amount of them, the command "SearchIncidentsV2" fails, it's no capable to search them. How can we free space by deleting incidents in a massive way?
In this case you'll want to archive the older database partitions using this method:
It's an all or nothing approach however, as the partitions contain all Incidents for the given month.
It's not possible to selectively archive like this. Archived data can be restored later if needed so that's probably the approach I'd take for data that needs a longer retention. Exporting (only) the incidents with longer retention requirements is also an option.
Please also note that, at least for XSOAR 6 with Bolt, deleting an incident will not free space in the database associated with that incident. Additionally, files attached to incidents can be deleted separately with standard file system commands: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.8/Cortex-XSOAR-Administrator-Guide/Archive...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!