Archive Situations and Alerts
You can run the command-line archiver utility included with Moogsoft Onprem to archive and delete Situations, alerts, and statistical data. The benefits of archiving data include improved system performance, faster backup and recovery, reduced maintenance, and lower storage costs.
How archiving works
The archiver utility archives and deletes a single day's worth of data at a time, to reduce the impact on the database. After you launch the archiver, it automatically processes data in batches which are configurable using the -b
, -y
and -z
options in the Archiver Command Reference.
Both the moogsoft-db
and moogsoft-utils
packages include the archiver utility. You can find it at:
$MOOGSOFT_HOME/bin/utils/moog_archiver
The archiver exports and deletes data from the historic database. By default it writes files to the /usr/local/archived
directory.
Launch the archiver
To launch the archiver execute the moog_archiver
command and pass either the -e
argument to export or the -r
option to delete.
To export all data older than 28 days to the default directory and retain the data in the database:
./moog_archiver -e
To delete all data older than 28 days:
./moog_archiver -r
See the Archiver Command Reference for a full list of available arguments.
Archive loose alerts
You can modify the selection criteria for loose alerts and Situations and their member alerts. You can choose to archive and delete loose alerts only using the last example below.
Export loose alerts that have not been modified in the past 28 days, and closed/dormant/superseded Situations and their member alerts that have not been modified in the past 4 days, and then delete the data from the database:
./moog_archiver -e -r -s 4
Export loose alerts that have not been modified in the past 2 days, and closed/dormant/superseded Situations and their member alerts that have not been modified in the past 7 days, and then delete the data from the database:
./moog_archiver -e -r -l 2 -s 7
Export loose alerts that have not been modified in the past 28 days, and then delete the data from the database:
./moog_archiver -e -r -t
Archive filtered Situations and alerts
You can use global Situation and alert filters to limit the data that is eligible for archiving and deletion.
To export loose alerts that have not been modified in the past 28 days, and Situations and their member alerts that have not been modified in the past 7 days and match the global filter "My Global Situation Filter", and then delete the data from the database:
./moog_archiver -e -r -s 7 -i "My Global Situation Filter"
To delete all Situations that match the filter "My Global Situation Filter" and their member alerts, and delete all loose alerts that match the filter "My Global Alert Filter":
./moog_archiver -r -s 0 -l 0 -i "My Global Situation Filter" -a "My Global Alert Filter"
Use filters that extract data based on age with caution, as they can conflict with specified (or default) age constraints. If you use a filter that selects Situations created during the past day and apply an option to archive Situations older than 28 days, no data will be archived.
Delete Situations, alerts and statistical data
You can use the archiver to delete Situations, alerts and statistical data that match specified criteria from the database.
Delete all Situation and alert data:
./moog_archiver -r -s 0 -l 0
Delete statistical data older than 15 days:
./moog_archiver -m -n 15
Delete files older than 7 days from the default directory:
./moog_archiver -f 7
Archive file names and structure
Archive files are named and structured as follows:
Archive files containing Situation data including alerts, events and snapshots have the filename format
<table name>-<yyyymmdd>.<hhmmss>.csv
.For example
alerts-20150410.143637.csv
Archive files containing loose alert data have the filename format
<table name>-loose<yyyymmdd>.<hhmmss>.csv
.For example
alerts-loose-20150410.143637.csv
Quotes are used within the files to handle occurrences of the delimiter. Quote characters in cells are enclosed in a second quote character. Null values from the database are written as
\N
.
Usage tips
The following tips can help you plan your archiving strategy:
Moogsoft recommends running the archiver outside core operational hours to minimize the impact to users. Users of the UI interface should refresh their sessions after the utility has been used to delete data.
Archiving often in small quantities allows for fast execution and minimal impact.
You can set up a cron job to run the archiver daily, outside core operational hours.
You can use a specific alert or Situation filter to remove targeted events.
Exporting and/or removing large amounts of data on a running system can be slow.
Exporting from a remote machine is slower because of network latency.
The archiver tool can export data from the prc_earliest_highest_severity_event table but it cannot delete this data.
You do not need to re-run the indexer after using the archiver tool to delete data. The
-r
option deletes records from Opensearch to keep the search feature synchronized with the database.