Scheduled actions in QRadar Incident Forensics

You can schedule maintenance, such as deleting old documents, tuning the database, and resetting the IBM QRadar Incident Forensics server.

If there are many documents, scheduled actions, such as deleting old documents, might take a long time to complete. If you want to delete an entire case, use the Case Management tool.

Deleting documents

Administrators can delete outdated documents that are based on the document network time stamps.

You can delete documents, which include pcap and other file types, from a case or the server. Deleting outdated documents helps maintain speed when you search documents.

Optimizing the database

Administrators can optimize the database to reorganize the search engine index into segments and remove deleted documents.

The Optimize Database scheduled action is similar to a defrag command.

When you optimize the database, a new index builds. After the index is built, the new index replaces the old index. Because two indexes exist until the old index is replaced, the optimize index command requires double the amount of hard disk space.

Before you optimize your database, you must ensure that the size of your index does not exceed 50 percent of the available space on your hard disk.