How to clean up the MongoDB for the Incident Management Module in SA 10.4.0.2?
How to clean up the MongoDB for the Incident Management Module in SA 10.4.0.2?
I have done this on the "Alert" part of the DB, should be similar for the "Incident" tables
SSH login on the ESA box
Login to the mongo DB
Check how many alerts are stored: db.alert.aggregate( [ { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])
Remove all the alerts: db.alert.remove()
What's this?
[root@esa ~]# mongo
TokuMX mongo shell v1.4.2-mongodb-2.4.10
connecting to: test
> db.alert.aggregate( [ { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])
Error: Printing Stack Trace
at printStackTrace (/data/package-rpm-el6/build/BUILD/tokumx-enterprise-1.4.2/src/mongo/shell/utils.js:37:15)
at DBCollection.aggregate (/data/package-rpm-el6/build/BUILD/tokumx-enterprise-1.4.2/src/mongo/shell/collection.js:660:9)
at (shell):1:10
Wed Feb 4 15:10:01.597 aggregate failed: { "ok" : 0, "errmsg" : "unauthorized" } at /data/package-rpm-el6/build/BUILD/tokumx-enterprise-1.4.2/src/mongo/shell/collection.js:661
You need to logon with the appropriate mongodb ID/password.
[root@saesarchvr ~]# mongo im -u ******-p ****** (replace ***** with user / password of the im database)
TokuMX mongo shell v1.4.2-mongodb-2.4.10
connecting to: im
> db.alert.aggregate( [ { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])
{
"result" : [
{
"_id" : "Reporting Engine",
"count" : 32
},
{
"_id" : "Event Stream Analysis",
"count" : 39753
}
],
"ok" : 1
}
> db.incident.aggregate( [ { $group: { _id: "$incident.source", count: { $sum: 1 } } } ])
{ "result" : [ { "_id" : null, "count" : 4 } ], "ok" : 1 }
last one for incident. - sorry I do not delete my base.
# mongo admin -u xxxxx -p xxxx
> use im
> db.alert.aggregate( [ { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])
{
"result" : [
{
"_id" : "Reporting Engine",
"count" : 12011
},
{
"_id" : "Event Stream Analysis",
"count" : 50115
},
{
"_id" : "Security Analytics Investigator",
"count" : 1
}
],
"ok" : 1
}
> db.incident.aggregate( [ { $group: { _id: "$incident.source", count: { $sum: 1 } } } ])
{ "result" : [ { "_id" : null, "count" : 733 } ], "ok" : 1 }
# mongo admin -u ****** -p **********
> use im
> db.alert.aggregate( [ { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])
{
"result" : [
{
"_id" : "Reporting Engine",
"count" : 12011
},
{
"_id" : "Event Stream Analysis",
"count" : 50115
},
{
"_id" : "Security Analytics Investigator",
"count" : 1
}
],
"ok" : 1
}
> db.incident.aggregate( [ { $group: { _id: "$incident.source", count: { $sum: 1 } } } ])
{ "result" : [ { "_id" : null, "count" : 733 } ], "ok" : 1 }
What is the command to remove the incidents and alerts after getting the count?
Remove all the alerts:
db.alert.remove()
db.incident.remove({})
( hum not sure about the {} but this is what is writtent in my personal cheat sheet )
[root@saesarchvr ~]# mongo im -u ******-p ****** (replace ***** with user / password of the im database)
TokuMX mongo shell v1.4.2-mongodb-2.4.10
connecting to: im
> db.alert.aggregate( [ { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])
{
"result" : [
{
"_id" : "Reporting Engine",
"count" : 32
},
{
"_id" : "Event Stream Analysis",
"count" : 39753
}
],
"ok" : 1
}
> db.incident.aggregate( [ { $group: { _id: "$incident.source", count: { $sum: 1 } } } ])
{ "result" : [ { "_id" : null, "count" : 4 } ], "ok" : 1 }
last one for incident. - sorry I do not delete my base.