6 Replies Latest reply on Sep 15, 2015 1:49 PM by LT McGary

    A partition from the event table has been deleted xx times

    teofilov

      I´m having issues with the ESM, I've allocated the data totally to events, but even when the ESM hasn't reached the limits of maximum events or of disk space, i get the following error:

      crlpn1qn.bmp

       

      My disk free space

      h240ekbn.bmp

      My data retention configuration

      852s3re9.bmp

      My data allocation configuration

      8uz8pg1j.bmp

        • 1. Re: A partition from the event table has been deleted xx times
          streamer

          I wonder about the answer to this question too

          • 2. Re: A partition from the event table has been deleted xx times
            penoffd

            I see this regularly as well.  Had an SR open on it, never resolved.

            • 3. Re: A partition from the event table has been deleted xx times
              jon286

              We had a different situation to this with our combo VM where it was falling under the minimum disk space daily, before deleting partitions and leaving us with rarely more than 6 days normalized data in active partitions on the box itself. This was fixed the other day on SR via our reseller, and it's now reached 9 days in ESM with 210GB free (43m records).


              It turns out we still had packet data running back to last October; the max records per partition was causing it to retain far more than it was supposed to, if I remember right this was some sort of leftover from bug fixed in 9.4.2 (which we are running).

               

              Try this (also check the packet partition info, substitute alert with packet), it outputs more than this but note the totals and max limits;

               

              NitroTID -d '/usr/local/ess/data/ngcp.dfl|::1|1111' -t alert -4

               

              =============================================================

              Nitro Table Information Display (NitroTID)

              =============================================================

              Options used:

              DFL=/usr/local/ess/data/ngcp.dfl|::1|1111 TABLE=alert PARTITIONS

               

              Retrieving information. Please wait...

              =============================================================

              alert (table IS open)

              =============================================================

              =============================================================

              PARTITION INFORMATION

              =============================================================

                Table Version           - 193956454654519

                Partition Type          - Time based partition

                Total Partitions        - 3

                Total Active            - 3

                Total Inactive          - 0

                Partitioning Field      - LastTime

                Partitioning Time Unit  - 1 day(s)

                Min Records / Partition - 25,000,000

                Max Records / Partition - 25,000,000

                Allowed Attached        - 101,000,000 record(s) OR 5 partition(s)

                Max Before Deletion     - 101,000,000 record(s) OR 5 partition(s)

                Max Emtpy Gap           - 30 partition unit(s)

              • 4. Re: A partition from the event table has been deleted xx times
                trekkiecat

                I was told by Support that is an informational message letting you know it's dropping the packet data off the receivers.  If you have an ELM in your environment that is keeping all the raw logs -- which most clients do -- it's really of no consequence since you still have your full packet data stored there.  You can easily click the "ELM retrieval" button while viewing a normalized event if you want more details.

                • 5. Re: A partition from the event table has been deleted xx times
                  LT McGary

                  I was given the same information by Support.

                  • 6. Re: A partition from the event table has been deleted xx times
                    trekkiecat

                    What I would like to know now is how to suppress that event so it won't change my "flags" to red! 

                     

                    I initially dropped the severity to a "1" on this rule, and eventually just disabled it but we continue to get those "critical" alerts. 


                    306-4

                    Event partition detach