---
title: Working with the Purge Expired Data plugin
description: Use the Purge Expired Data plugin to delete expired entries or attribute values.
component: pingdirectory
version: 11.1
page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_purge_expired_data_plugin
canonical_url: https://docs.pingidentity.com/pingdirectory/11.1/pingdirectory_server_administration_guide/pd_ds_purge_expired_data_plugin.html
llms_txt: https://docs.pingidentity.com/pingdirectory/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: June 9, 2026
page_aliases: ["pd_ds_purge_expired_data_plugin_expired_entries.adoc", "pd_ds_purge_expired_data_plugin_expired_attrs.adoc"]
section_ids:
  configuring-the-purge-expired-data-plugin-for-expired-entries: Configuring the Purge Expired Data plugin for expired entries
  steps: Steps
  example: Example:
  example-2: Example:
  example-3: Example:
  example-4: Example:
  configuring-the-purge-expired-data-plugin-for-expired-attribute-values: Configuring the Purge Expired Data plugin for expired attribute values
  steps-2: Steps
  example-5: Example:
  example-6: Example:
  example-7: Example:
  scheduling-an-expired-data-purge-task: Scheduling an expired data purge task
---

# Working with the Purge Expired Data plugin

Use the Purge Expired Data plugin to delete expired entries or attribute values.

When the plugin is enabled, a background thread in the plugin periodically searches for and purges expired data. For optimal performance, enable the Purge Expired Data plugin on multiple servers in a topology. For example, you can configure one server to delete data while others are searching for expired data.

Create and configure the Purge Expired Data plugin with the `dsconfig` tool. Configuration options include the base distinguished name (DN) and filter, the items to be purged, how to identify expired data, and the frequency for polling and purging. Be aware of the following when using the plugin:

* The plugin runs continuously, polling at a configurable interval, which is 5 minutes by default.

* You must index the search for expired data.

* An alarm is raised if the server purging data falls behind the configured `max-updates-per-second`.

* Monitoring information is available in the Admin Console, or `cn=monitor`.

|   |                                                                                                                                                                                                                                                                  |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | As an alternative to the plugin, PingDirectory also supports scheduling purge operations as a task, so that you can run data cleanup during a maintenance window. Learn more in [Scheduling an expired data purge task](#scheduling-an-expired-data-purge-task). |

## Configuring the Purge Expired Data plugin for expired entries

Use the Purge Expired Data plugin to delete all unverified account entries that have not been accessed in the past eight weeks. The is useful for the following scenarios:

* Accounts that potential customers started to create through an application's registration process but then did not complete.

* The phone number or email address that was provided during registration was not verified and should be allowed to be used by another account.

### Steps

1. If necessary, enable the Last Access Time plugin:

   The server can track the last access time automatically in the `ds-last-access-time` attribute by enabling the Last Access Time plugin.

   #### Example:

   ```shell
   $ bin/dsconfig set-plugin-prop \
     --plugin-name "Last Access Time" \
     --set enabled:true
   ```

2. To determine expiration order, create an index on the date attribute.

   The Purge Expired Data plugin requires the date attribute that is used to determine expiration to be indexed for ordering.

   #### Example:

   ```shell
   $ bin/dsconfig create-local-db-index \
     --backend-name userRoot \
     --index-name ds-last-access-time \
     --set index-type:ordering
   ```

3. If there is data present in the directory, rebuild the index.

   #### Example:

   ```shell
   $ bin/rebuild-index \
     --baseDN dc=example,dc=com \
     --index ds-last-access-time
   ```

4. Create the plugin that purges account entries `objectclass=account` that are not verified.

   #### Example:

   The following example purges account entries `verified=false` after eight weeks of inactivity.

   ```shell
   $ bin/dsconfig create-plugin \
     --plugin-name "Purge Old Unvalidated Accounts" \
     --type purge-expired-data \
     --set enabled:true \
     --set datetime-attribute:ds-last-access-time \
     --set "expiration-offset:8 w" \
     --set "filter:(&(objectClass=account)(verified=false))"
   ```

## Configuring the Purge Expired Data plugin for expired attribute values

Use the Purge Expired Data plugin to delete values of an attribute that have expired. For example, an application can track information about an employee's session and then close the session after 24 hours. There can be multiple active sessions tracked across different devices with session information as shown in the following example.

In this example, the LDAP attribute is `sessioninfo` and the JSON field that stores the timestamp is `creationTime`. These are used to configure the Purge Expired Data plugin.

```
sessionInfo: { "sessionId" : "E85FAC04E331FFCA55549B10B7C7A4FA",
"ipAddress": "10.0.0.00", "userAgent": "Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us)
AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10",
"creationTime" : "2018-03-31T13:10:15Z" }
```

Create the plugin to purge the JSON attribute values after 24 hours, rather than the entire session entry.

### Steps

1. Create an index on the `creationTime` field of the `sessioninfo` attribute.

   #### Example:

   ```shell
   $ bin/dsconfig create-json-attribute-constraints \
     --attribute-type sessioninfo \
     --set enabled:true
   ```

   #### Example:

   ```shell
   $ bin/dsconfig create-json-field-constraints \
     --attribute-type sessioninfo \
     --json-field creationTime \
     --set index-values:true \
     --set value-type:string
   ```

2. Create and enable the plugin.

   #### Example:

   ```shell
   $ bin/dsconfig create-plugin \
     --plugin-name "Purge Old Session Data Plugin" \
     --type purge-expired-data \
     --set enabled:true \
     --set "custom-datetime-format:yyyy-MM-dd'T'HH:mm:ss'Z'" \
     --set datetime-attribute:sessioninfo \
     --set datetime-format:custom \
     --set datetime-json-field:creationTime \
     --set "expiration-offset:1 d" \
     --set purge-behavior:delete-json-attribute-values
   ```

## Scheduling an expired data purge task

As an alternative to the Purge Expired Data plugin, you can submit a `purge-expired-data` task directly to the `tasks` backend using `ldapmodify`. This is useful when you want a purge to run at a scheduled time rather than continuously.

The following example schedules a one-time `purge-expired-data` task:

```shell
$ bin/ldapmodify
dn: ds-task-id=purge-expired-sessions,cn=Scheduled Tasks,cn=tasks
changetype: add
objectClass: top
objectClass: ds-task
objectClass: ds-task-purge-expired-data
ds-task-id: purge-expired-sessions
ds-task-class-name: com.unboundid.directory.server.tasks.PurgeExpiredDataTask
ds-task-state: waiting_on_start_time
ds-task-scheduled-start-time: 20260101020000Z
ds-task-purge-expired-data-datetime-attribute: createTimestamp
ds-task-purge-expired-data-datetime-format: generalized-time
ds-task-purge-expired-data-expiration-offset: 30 days
ds-task-purge-expired-data-purge-behavior: delete-entries
ds-task-purge-expired-data-base-dn: ou=sessions,dc=example,dc=com
```

To schedule the previous task to repeat, wrap it in a recurring task chain using `dsconfig`, as shown in [Scheduling expired PingFederate grant cleanup as a recurring task](pd_ds_pf_grant_cleanup_recurring_task.html).
