Periodically, you may want to update your set of event sources, and remove ones that are no longer being used. You can use the Idle Time parameter to do this.
Note: The information in this topic applies to RSA NetWitness
Platform Version 11.2 and later.
To remove idle event sources:
- Go to
(Admin) > Event Sources.
-
In the Manage panel, click
.
The Create an Event Group dialog is displayed.
-
Fill in the name and description as you like, and add a condition that uses the Idle Time parameter, as shown here:
In this example, we have set the condition to identify event sources that have been idle for at least 60 days.
- Save the new group, then select it in the Groups panel.
-
Select some or all event sources in the group. The following screen shows all event sources from this group selected.
-
In the Event Sources panel, click
to delete the selected, idle event sources.
A confirmation message appears:
- Click Delete Now to confirm your intention to delete the selected event sources.
If, in the future, an event source that has been removed sends logs, a new event source will be created.
