Hi,
This article will discuss how to effectively manage the archiving of the DCS database, based on your retention needs and / or performance requirements. This process allows you to minimise the amount of events stored within your active SCSPDB_[Name] database while also maintaining your audit requirements.
This is likely necessary if your DCS environment generates alot of noise, most likely detection events if you're centrally logging events in DCS.
In this example, the customers has an event threshold of say 6 months worth of events, some prevention but mainly detection.
select event_type,count(1) from cspevent cs where cs.event_dt <= '2017-03-18 00:00:00.000' group by event_type
DECLARE @RC int DECLARE @EventCLASS nvarchar(100) = 'Realtime' One of "REALTIME", "PROFILE", "ANALYSIS" DECLARE @PurgeMode nvarchar(100) = 'Purge' -- One of "TESTMODE","PURGE" (Testmode will show what will happen but does not actually delete anything, Purge does!) DECLARE @FilterMode nvarchar(100) = 'Days' DECLARE @FilterValue nvarchar(4000) = '7' -- Number of days to keep (anything older will be deleted) DECLARE @PurgeLimit int = 0 --or 100,000 This is a "governor" to limit how many records to delete at once DECLARE @Process_Rules varchar(8) = 'P' -- Flags indicating processing mode. P print, Q quiet -- TODO: Set parameter values here. EXECUTE @RC = [DCSSA_Review].[dbo].[SCSP_PurgeEvents] @EventCLASS ,@PurgeMode ,@FilterMode ,@FilterValue ,@PurgeLimit ,@Process_Rules GO
Now you'll have a slim line CSP database that is quicker to query and less cluttered, and a review DB that you can use say, direct SQL and / or SSRS to create KPIs and / or analsys on the data. Tip: You can extract the SQL from the CSP reports in the Java Console and use that to query directly or via SSRS etc.
Any questions, let me know.
Thanks,
Kevin