This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Security Analytics 10.4 - Incidents - Database Clean up

Go to solution
DavidMechsner
Beginner
Beginner

‎2015-02-03 11:38 AM

How to clean up the MongoDB for the Incident Management Module in SA 10.4.0.2?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
BenoitRostagni
Beginner
Beginner
In response to BenoitRostagni

‎2015-02-06 03:28 AM

[root@saesarchvr ~]# mongo im -u ******-p ******                              (replace ***** with user / password of the im database)

TokuMX mongo shell v1.4.2-mongodb-2.4.10

connecting to: im

> db.alert.aggregate( [  { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])

{

        "result" : [

                {

                        "_id" : "Reporting Engine",

                        "count" : 32

                },

                {

                        "_id" : "Event Stream Analysis",

                        "count" : 39753

                }

        ],

        "ok" : 1

}

> db.incident.aggregate( [  { $group: { _id: "$incident.source", count: { $sum: 1 } } } ])

{ "result" : [ { "_id" : null, "count" : 4 } ], "ok" : 1 }

 

last one for incident. - sorry I do not delete my base.

View solution in original post

7 REPLIES 7

Go to solution
BenoitRostagni
Beginner
Beginner

‎2015-02-04 05:17 AM

I have done this on the "Alert" part of the DB, should be similar for the "Incident" tables

 

SSH login on the ESA box

Login to the mongo DB

Check how many alerts are stored: db.alert.aggregate( [  { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])

Remove all the alerts: db.alert.remove()

Go to solution
DavidMechsner
Beginner
Beginner
In response to BenoitRostagni

‎2015-02-04 09:14 AM

What's this?

 

[root@esa ~]# mongo

TokuMX mongo shell v1.4.2-mongodb-2.4.10

connecting to: test

> db.alert.aggregate( [  { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])

Error: Printing Stack Trace

    at printStackTrace (/data/package-rpm-el6/build/BUILD/tokumx-enterprise-1.4.2/src/mongo/shell/utils.js:37:15)

    at DBCollection.aggregate (/data/package-rpm-el6/build/BUILD/tokumx-enterprise-1.4.2/src/mongo/shell/collection.js:660:9)

    at (shell):1:10

Wed Feb  4 15:10:01.597 aggregate failed: { "ok" : 0, "errmsg" : "unauthorized" } at /data/package-rpm-el6/build/BUILD/tokumx-enterprise-1.4.2/src/mongo/shell/collection.js:661

0 Likes

Go to solution
BenoitRostagni
Beginner
Beginner
In response to DavidMechsner

‎2015-02-04 12:44 PM

You need to logon with the appropriate mongodb ID/password.

0 Likes

Go to solution
BenoitRostagni
Beginner
Beginner
In response to BenoitRostagni

‎2015-02-06 03:28 AM

[root@saesarchvr ~]# mongo im -u ******-p ******                              (replace ***** with user / password of the im database)

TokuMX mongo shell v1.4.2-mongodb-2.4.10

connecting to: im

> db.alert.aggregate( [  { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])

{

        "result" : [

                {

                        "_id" : "Reporting Engine",

                        "count" : 32

                },

                {

                        "_id" : "Event Stream Analysis",

                        "count" : 39753

                }

        ],

        "ok" : 1

}

> db.incident.aggregate( [  { $group: { _id: "$incident.source", count: { $sum: 1 } } } ])

{ "result" : [ { "_id" : null, "count" : 4 } ], "ok" : 1 }

 

last one for incident. - sorry I do not delete my base.

Go to solution
DavidMechsner
Beginner
Beginner
In response to BenoitRostagni

‎2015-02-16 04:38 AM

Many thanks, now it works!
Mongo Admin -> switch to im

 

# mongo admin -u xxxxx -p xxxx

> use im

> db.alert.aggregate( [  { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])

{

        "result" : [

                {

                        "_id" : "Reporting Engine",

                        "count" : 12011

                },

                {

                        "_id" : "Event Stream Analysis",

                        "count" : 50115

                },

                {

                        "_id" : "Security Analytics Investigator",

                        "count" : 1

                }

        ],

        "ok" : 1

}

> db.incident.aggregate( [  { $group: { _id: "$incident.source", count: { $sum: 1 } } } ])

{ "result" : [ { "_id" : null, "count" : 733 } ], "ok" : 1 }

 

# mongo admin -u ****** -p **********

> use im

> db.alert.aggregate( [  { $group: { _id: "$alert.source", count: { $sum: 1 } } } ])

{

        "result" : [

                {

                        "_id" : "Reporting Engine",

                        "count" : 12011

                },

                {

                        "_id" : "Event Stream Analysis",

                        "count" : 50115

                },

                {

                        "_id" : "Security Analytics Investigator",

                        "count" : 1

                }

        ],

        "ok" : 1

}

> db.incident.aggregate( [  { $group: { _id: "$incident.source", count: { $sum: 1 } } } ])

{ "result" : [ { "_id" : null, "count" : 733 } ], "ok" : 1 }

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to DavidMechsner

‎2015-03-05 02:25 PM

What is the command to remove the incidents and alerts after getting the count?

0 Likes

Go to solution
BenoitRostagni
Beginner
Beginner

‎2015-03-05 02:31 PM

Remove all the alerts:

db.alert.remove() 

db.incident.remove({}) 

 

 

( hum not sure about the {} but this is what is writtent in my personal cheat sheet )

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.