When the number of alerts stored in the ESA database has reached such a high quantity that the database size becomes very large, performance can be negatively impacted.
Automatic deletion for Alerts/Incident older than specific date is not enabled from Respond Server Explore page, which will cause the old alerts/Incidents to be accumulated in Mongo Database of ESA server
Automatic deletion for the old alerts/Incidents should be enabled from Respond-server Explore page to delete old Alerts/Incidents from Mongo Database in ESA sever
Reference : page 75 in
https://community.netwitness.com/t5/netwitness-platform-online/respond-configuration-guide-for-12-3-1/ta-p/705366Prerequisites : The Administrator role must be assigned to you.
Procedure : 1. Go to (Admin) > Services, select the Respond Server service, and then select > View > Explore
2. In the Explore view node list, select respond/dataretention
Image description3. In the enabled field, select true to delete incidents and alerts older than the retention period. The scheduler runs every 24 hours at 23:00. You will see a notice that the configuration was successfully updated.
4. In the retention-period field, type the number of days to retain incidents and alerts. For example, type 30 DAYS, 60 DAYS, 90 DAYS, 120 DAYS, 365 DAYS, or any number of days. A message informs you that the configuration was successfully updated.
Result : Within 24 hours after the retention period ends, the scheduler permanently deletes all alerts and incidents older than the specified period from NetWitness Respond. Journal entries and tasks associated with the deleted incidents are also deleted.