cancel
Showing results for 
Search instead for 
Did you mean: 

A partition from the event table has been deleted xx times

I´m having issues with the ESM, I've allocated the data totally to events, but even when the ESM hasn't reached the limits of maximum events or of disk space, i get the following error:

crlpn1qn.bmp

My disk free space

h240ekbn.bmp

My data retention configuration

852s3re9.bmp

My data allocation configuration

8uz8pg1j.bmp

9 Replies

Re: A partition from the event table has been deleted xx times

I wonder about the answer to this question too

penoffd
Level 10
Report Inappropriate Content
Message 3 of 10

Re: A partition from the event table has been deleted xx times

I see this regularly as well.  Had an SR open on it, never resolved.

jon286
Level 9
Report Inappropriate Content
Message 4 of 10

Re: A partition from the event table has been deleted xx times

We had a different situation to this with our combo VM where it was falling under the minimum disk space daily, before deleting partitions and leaving us with rarely more than 6 days normalized data in active partitions on the box itself. This was fixed the other day on SR via our reseller, and it's now reached 9 days in ESM with 210GB free (43m records).


It turns out we still had packet data running back to last October; the max records per partition was causing it to retain far more than it was supposed to, if I remember right this was some sort of leftover from bug fixed in 9.4.2 (which we are running).

Try this (also check the packet partition info, substitute alert with packet), it outputs more than this but note the totals and max limits;

NitroTID -d '/usr/local/ess/data/ngcp.dfl|::1|1111' -t alert -4

=============================================================

Nitro Table Information Display (NitroTID)

=============================================================

Options used:

DFL=/usr/local/ess/data/ngcp.dfl|::1|1111 TABLE=alert PARTITIONS

Retrieving information. Please wait...

=============================================================

alert (table IS open)

=============================================================

=============================================================

PARTITION INFORMATION

=============================================================

  Table Version           - 193956454654519

  Partition Type          - Time based partition

  Total Partitions        - 3

  Total Active            - 3

  Total Inactive          - 0

  Partitioning Field      - LastTime

  Partitioning Time Unit  - 1 day(s)

  Min Records / Partition - 25,000,000

  Max Records / Partition - 25,000,000

  Allowed Attached        - 101,000,000 record(s) OR 5 partition(s)

  Max Before Deletion     - 101,000,000 record(s) OR 5 partition(s)

  Max Emtpy Gap           - 30 partition unit(s)

Re: A partition from the event table has been deleted xx times

Hi Jon286,

I release this thread is pretty old, but I just tried to run the command you wrote out, and I got this error:

ERROR: Could not open the .cfg file handle (error 105)

Do I need to stop the ESM before running this?

If you have any thoughts, I'd be grateful to hear them.

Thanks,

- Steve

Re: A partition from the event table has been deleted xx times

I was told by Support that is an informational message letting you know it's dropping the packet data off the receivers.  If you have an ELM in your environment that is keeping all the raw logs -- which most clients do -- it's really of no consequence since you still have your full packet data stored there.  You can easily click the "ELM retrieval" button while viewing a normalized event if you want more details.

mcgarl1
Level 9
Report Inappropriate Content
Message 7 of 10

Re: A partition from the event table has been deleted xx times

I was given the same information by Support.

Re: A partition from the event table has been deleted xx times

What I would like to know now is how to suppress that event so it won't change my "flags" to red! 

I initially dropped the severity to a "1" on this rule, and eventually just disabled it but we continue to get those "critical" alerts. 


306-4

Event partition detach

leathal
Level 7
Report Inappropriate Content
Message 9 of 10

Re: A partition from the event table has been deleted xx times

I have this issue as well. 

Events being pruned out of ESM befrioe disk is full on Combo VM and we have set retentino to as long as possible and events to 90% over flows. No change. Smiley Sad Smiley Sad 

kmc
Level 12
Report Inappropriate Content
Message 10 of 10

Re: A partition from the event table has been deleted xx times

The events are being deleted because there are too many event records in the database.

The database will self-manage the space. Based on the type like combo box which need to share the space with a receiver, an ELM and an ESM with 50% Events and 50% Flows (it can change based on the configuration). This 50% is half of the space allocated to the ESM.

 

So its dificult guess based on the avilable space so check the allowed number of records for storing event and check the sored record count to cross verify