Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

ESM: Removing Idle Event Sources

Document created by RSA Information Design and Development Employee on Sep 12, 2018Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 8Show Document
  • View in full screen mode

Periodically, you may want to update your set of event sources, and remove ones that are no longer being used. You can use the Idle Time parameter to do this.

Note: The information in this topic applies to RSA NetWitness Platform Version 11.2 and later.

To remove idle event sources:

  1. Go to (Admin) > Event Sources.
  2. In the Manage panel, click  .

    The Create an Event Group dialog is displayed.

  3. Fill in the name and description as you like, and add a condition that uses the Idle Time parameter, as shown here:

    In this example, we have set the condition to identify event sources that have been idle for at least 60 days.

  4. Save the new group, then select it in the Groups panel.
  5. Select some or all event sources in the group. The following screen shows all event sources from this group selected.

  6. In the Event Sources panel, click delete iconto delete the selected, idle event sources.

    A confirmation message appears:

  7. Click Delete Now to confirm your intention to delete the selected event sources.

If, in the future, an event source that has been removed sends logs, a new event source will be created.

You are here
Table of Contents > Manage Event Source Groups > Remove Idle Event Sources