Cleanup Event Data

The Events Cleanup Service provides two complementary methods to manage event storage and ensure optimal system performance.

Time-Based Expiration

The purpose of time-based expirations is to automatically delete old events that have exceeded their retention period.

What Gets Deleted

When this is triggered, the system deletes the following event types:

  1. Custom Events: All custom events older than the retention period
  2. Resolved Alert Events: Alert events marked as resolved
  3. OK State Alerts: Alert events with the OK state

Retention Periods

Default Retention: 30 days

  • All events older than 30 days (matching the criteria above) are automatically deleted
  • This applies to all users unless you have created custom retention settings

Per-Customer Custom Retention:

  • You can configure custom retention periods
  • Custom retention periods override the 30-day default

For more information on various retention limits, see Data Retention.

What’s Protected

  • Active (triggering) alert events: Unresolved alerts continue to be retained regardless of age
  • Critical alert states: Alert events that are not in the OK state or marked as resolved

Count-Based Limiting

The purpose of count-based limiting is to ensure your event storage stays within configured count limits. This happens by deleting older, lower-priority events when your storage thresholds are exceeded.

Event Count Threshold

The data from the last 48 hours is exempt from this cleanup.

  • Default limit: 2 million events
  • Cleanup trigger: It will take action when your organization exceeds 110% of your limit
    • Example: With the default 2 million limit, cleanup starts at 2.2 million events
  • Target after cleanup: Events are reduced back to the configured limit (2 million)
  • Per-customer overrides: You can create custom retention settings

For more information on various retention limits, see Data Retention.

Priority-Based Deletion Strategy

When cleanup is needed, events are deleted in order of increasing priority (least important first):

PriorityEvent TypeSeverity     Category             Description                                            
0       Any       InformationalINFORMATIONAL        Informational events (lowest priority)                 
1       Custom    Low          LOW_INFRASTRUCTURE   Low severity infrastructure events (no team assignment)
2       Custom    Low          LOW_CUSTOM           Low severity custom events (with team assignment)      
3       Custom    Medium       MEDIUM_INFRASTRUCTUREMedium severity infrastructure events                  
4       Custom    Medium       MEDIUM_CUSTOM        Medium severity custom events                          
5       Alert     Low          LOW_ALERT            Low severity alert events                              
7       Custom    High         HIGH_INFRASTRUCTURE  High severity infrastructure events                    
8       Custom    High         HIGH_CUSTOM          High severity custom events                            
9       Alert     Medium       MEDIUM_ALERT         Medium severity alert events                           
11      Alert     High         HIGH_ALERT           High severity alert events (highest priority)          

Within each priority category, older events (by timestamp) are deleted first.

Combined Execution

The cleanup job runs both methods sequentially:

  1. First: Removes old events based on time retention
  2. Second: Enforces count-based limits on remaining events

This two-phase approach ensures that:

  • Time-expired events are removed first (freeing space efficiently)
  • Count-based cleanup only processes events within the retention window
  • The most critical and recent events are preserved