The ESM should begin to purge the oldest data first if it becomes full and does not have a secondary storage location to move older files to such as an attached DAS, SAN, or some other type of file share.
You can setup your own Purge Parameters based on your corporate policy, and your particular space limitations.
If you SSH to your ESM you can run the "df -h" command to see how much space you have, how much has been used, and how much is available. You would be interested in the Monuted on location "/data_hd", if you have an attached DAS it would show up as Mounted on "/das1_hd"
Thank you for the reply.
Could you please let me know where is the purge parameters setting page?
First - you have to be logged in to the ESM as the NGCP user (or whatever you renamed it) to set or change the purge parameters.
Go to the ESM Properties > Click on "Database" > Click on "Data Retention" > configure the number of days to retain for "Events" and "Flows"
Note - The way the ESM stores data in the database is via Partitions, Alert Partitions = Events, Connection Partitions = Flows, Packet Partitions = Device Log Data.
A partition in the database can span multiple days (weeks or months), the data associated with the partition is not purged by individual record, rather by the entire partition.
So if you have a partition that spans 2 weeks, it will not get purged until the oldest piece of information meets your purge setting.
There are nsql commands to look at your partitions (which should all be attached unless a background rebuild is going on).
Once you have connected to the database you can use:
show partitions from alert
show partitions from connection
show partitions from packet