The System Cleaner is a lightweight, AI‑driven maintenance engine that continuously monitors, validates, and optimizes the health of a Knowledge Graph 4.0 Sentinel Suite deployment. It removes stale triples, fixes schema drift, re‑indexes high‑frequency vertices, and reconciles orphaned entities without downtime.
2. How does it differ from the previous “KG‑Cleaner 3.x” tool?
AI‑augmented anomaly detection (deep‑learning‑based pattern recognition)
Zero‑touch incremental cleaning (changes are applied in‑place, no full‑graph reload)
Built‑in Sentinel‑Suite integration (single‑sign‑on, unified dashboards)
Native support for GraphQL‑L2 and SPARQL‑L3 query layers
3. Which graph databases are officially supported?
Vendor / Engine Minimum Version Notes
Neo4j 5.12+ Requires the Neo4j‑Graph‑Data‑Science plugin
Amazon Neptune 1.2.0.0 Uses Neptune Open Cypher endpoint
JanusGraph 0.6.2+ Requires TinkerPop 3.6+
Azure Cosmos DB (Gremlin API) 3.30+ Clean‑up runs in “batch‑mode” only
Virtuoso 08.12.3317 SPARQL L3 endpoint required
Community‑contributed adapters exist for other engines; see the “Extending the Cleaner” guide.
🛠 Installation & Setup
4. What are the system requirements?
CPU: 4‑core × 2.5 GHz (8‑core recommended)
RAM: 16 GB minimum (32 GB for > 500 M triples)
Disk: SSD with at least 100 GB free (clean‑up logs + backup snapshots)
OS: Ubuntu 22.04 LTS, RHEL 9, or Windows Server 2022 (Docker‑compatible)
Java: OpenJDK 11 (or later) – bundled in the Docker image
5. How do I install the Cleaner on a Linux host?
# 1️⃣ Pull the official Docker image
docker pull sentinel/kg4-cleaner:latest
# 2️⃣ Create a config directory
mkdir -p /etc/kg-cleaner && chmod 700 /etc/kg-cleaner
# 3️⃣ Copy the sample config and edit
docker run --rm sentinel/kg4-cleaner:latest cat /opt/cleaner/sample.conf > /etc/kg-cleaner/cleaner.conf
# 4️⃣ Edit /etc/kg-cleaner/cleaner.conf (set DB connection, auth, retention policies)
# 5️⃣ Run the container (detached)
docker run -d \
--name kg4-cleaner \
-v /etc/kg-cleaner:/opt/cleaner/conf \
-v /var/log/kg-cleaner:/opt/cleaner/logs \
sentinel/kg4-cleaner:latest
For on‑premise Java‑only installations, see the “Binary Distribution” section of the admin guide.
6. Is there a SaaS‑ready deployment option?
Yes. Sentinel Suite offers a Managed Cleaner Service (MCS) that runs in a fully‑isolated Kubernetes namespace on the same cloud provider as your graph. Provisioning is a one‑click operation from the Sentinel console; you only need to supply the graph endpoint and service‑account credentials.
7. What authentication methods are supported?
Basic (username / password)
OAuth 2.0 client‑credentials (recommended for cloud deployments)
Kerberos GSSAPI (on‑premise)
X‑509 Mutual TLS (optional, must be enabled on the graph endpoint)
🔧 Configuration
8. How do I define “stale” data?
In cleaner.conf you can set a TTL policy per predicate or per label, e.g.:
stalePolicy {
defaultTTL = "365d"
predicates {
"kg:lastSeen" = "180d"
"kg:accessCount" = "30d"
}
labels {
"kg:Session" = "90d"
}
}
The Cleaner automatically calculates the “age” of a triple based on the latest timestamp value (ISO‑8601) and the configured TTL.
9. Can I schedule cleaning windows?
Yes. Use the built‑in cron‑like scheduler:
schedule {
cron = "0 2 * * 0" # Every Sunday at 02:00 UTC
maxRuntime = "4h"
overlapPolicy = "skip" # Skip if a previous run is still active
}
Alternatively, trigger runs via the REST API (see Q 15).
10. How do I enable “incremental” mode?
Set mode = "incremental" in the execution block. In this mode the Cleaner tracks a watermark (last‑processed transaction ID) and only scans changes that occurred since the previous run.
11. What is the “Safe‑Guard” feature?
When enabled (safeguard.enabled = true), the Cleaner creates a point‑in‑time snapshot of affected sub‑graphs before any mutation. If a validation step fails, the snapshot is automatically restored, guaranteeing zero data loss.
12. Can I customize the AI‑based anomaly detector?
Yes. Upload a custom TensorFlow SavedModel to the models/ directory and reference it in ai.detector.modelPath. The model must accept a feature vector consisting of:
Feature Type
predicate frequency float
vertex degree variance float
temporal drift score float
semantic similarity (BERT embedding) float
The built‑in model is a lightweight ResNet‑34 variant that works out‑of‑the‑box for most domains.
📊 Monitoring & Reporting
13. Where can I view cleaning statistics?
Sentinel Dashboard → Knowledge Graph → Cleaner (real‑time charts)
Prometheus metrics at /metrics (e.g., kg_cleaner_deleted_triples_total)
Daily JSON report written to /var/log/kg-cleaner/reports/ (configurable)
14. How do I integrate alerts with PagerDuty / Opsgenie?
Expose the Prometheus alert rule:
- alert: KGCleanerHighDeletionRate
expr: rate(kg_cleaner_deleted_triples_total[5m]) > 5000
for: 10m
labels:
severity: critical
annotations:
summary: "Cleaner is deleting > 5 k triples per minute"
description: "Check for possible mis‑configuration of TTL policies."
Then forward alerts via the Alertmanager webhook to your incident‑management platform.
15. Is there an API to trigger ad‑hoc clean‑ups?
Yes. POST to /api/v1/cleaner/run with a JSON payload:
{
"mode": "full",
"dryRun": false,
"labels": ["kg:Obsolete", "kg:Temp"]
}
Authentication follows the same scheme as the graph endpoint. The response contains a runId you can query later (GET /api/v1/cleaner/status/{runId}).
🛡️ Safety & Compliance
16. Does the Cleaner comply with GDPR “right to be forgotten”?
When a “deletion request” is ingested via the /api/v1/subject/erase endpoint, the Cleaner automatically:
Flags all triples containing the subject.
Performs a hard purge (no soft‑delete) after a configurable 24‑hour grace period.
Logs the operation in an immutable audit trail (WORM storage).
17. How are logs protected?
Logs are written in JSON‑L format and signed with a rotating HMAC‑SHA256 key.
At rest, they are stored on encrypted volumes (AES‑256‑GCM).
Remote syslog forwarding can be configured to a SIEM with TLS 1.3.
18. What happens if the Cleaner crashes mid‑run?
The built‑in transactional checkpoint writes a runState record after each batch. On restart, the Cleaner resumes from the last successful checkpoint. If a batch fails validation, the Safeguard snapshot (if enabled) is automatically rolled back.
🚀 Performance & Scaling
19. How does the Cleaner handle graphs with billions of triples?
Parallel batch workers (configurable workers = 8 by default) each pull a slice of the transaction log.
Graph‑partition awareness – the Cleaner discovers Neo4j “shards” or Neptune “partitions” and processes them locally to avoid cross‑region traffic.
Adaptive throttling – the engine monitors graph latency and automatically backs off to keep the underlying service under 70 % CPU.
20. What is the typical throughput?
On a 16‑core server with a 500 M‑triple Neo4j cluster (SSD storage), the Cleaner routinely processes ≈ 1.2 M triples/min in incremental mode, and ≈ 450 k triples/min in full‑graph mode.
21. Can the Cleaner be run in a Kubernetes cluster?
Absolutely. Deploy the official Helm chart:
helm repo add sentinel https://charts.sentinel.io
helm install kg4-cleaner sentinel/kg4-cleaner \
--set image.tag=4.0.2 \
--set resources.limits.cpu=8 \
--set resources.limits.memory=32Gi
The chart includes a Horizontal Pod Autoscaler that scales the worker pool based on the kg_cleaner_batch_latency_seconds metric.
🧩 Integration & Extensibility
22. How do I plug a custom post‑processing script?
Add a hook in cleaner.conf:
hooks {
postProcessing = "/opt/cleaner/hooks/custom_cleanup.sh"
}
The script receives three environment variables:
Variable Meaning
KG_RUN_ID Unique identifier of the current run
KG_DELETED_COUNT Number of triples removed
KG_SNAPSHOT_PATH Path to the Safeguard snapshot (if any)
23. Is it possible to clean only a sub‑graph?
Yes. Use a seed query in the config:
subgraph {
seedQuery = "MATCH (n:kg:Customer {region:'EMEA'}) RETURN n"
depth = 3 # Walk up to three hops from each seed node
}
Only triples reachable within the defined depth are examined.
24. Does the Cleaner expose SPARQL update endpoints?
When mode = "full" and exposeSparql = true, the Cleaner creates a temporary SPARQL Update endpoint (/sparql) that runs deletions in a single transaction. This endpoint is secured by the same authentication mechanism used for the main graph.
🐞 Troubleshooting
25. Why am I seeing “Failed to acquire lock on vertex XYZ” errors?
The Cleaner uses graph‑level write locks to guarantee consistency. This error typically occurs when another bulk‑loader or migration job holds the lock longer than the Cleaner’s lockTimeout (default 30 s). Solutions:
Increase lockTimeout in cleaner.conf.
Reschedule the Cleaner to a time when no other bulk jobs run.
Enable optimistic concurrency (optimisticLocks = true).
26. My daily report shows “0 deleted triples” even though I expect many.
Check the following:
TTL values: Are they set far in the future?
Dry‑run flag: Ensure dryRun = false in the API request or schedule.
Predicate indexing: If a predicate is not indexed, the Cleaner may skip it. Add an index via the graph admin console.
27. The Cleaner’s memory usage keeps growing over time.
Possible causes:
Large in‑memory change‑log buffer (bufferSize too high). Reduce it to 10 k entries.
Leak in a custom AI model – ensure the model releases TensorFlow sessions after each batch (tf.keras.backend.clear_session()).
Insufficient GC tuning – add -XX:+UseG1GC -Xmx24g to the JVM options.
28. How can I verify that a Safeguard snapshot was restored correctly?
After a failure, the Cleaner writes a snapshotRollback.log entry. You can also query the graph for the snapshot tag:
MATCH (n) WHERE n._snapshotTag = "<runId>"
RETURN count(n) AS restoredNodes
The count should match the number of nodes recorded in the pre‑run audit (preRunAudit.json).
29. The Prometheus /metrics endpoint returns “connection refused”.
Verify that the container port 9100 (default) is exposed.
Ensure metrics.enabled = true in cleaner.conf.
Confirm that no firewall rule blocks inbound traffic from the Prometheus server.
30. My API token expires after 1 hour, causing scheduled runs to fail.
Switch to OAuth 2.0 client‑credentials with a refresh token or configure a long‑lived service‑account key (auth.serviceAccountFile). The Cleaner will automatically refresh the token before each run.
📜 Licensing & Support
31. What licensing model does the Cleaner use?
Community Edition (CE): Free, limited to 100 M triples, no AI model, no Safeguard.
Enterprise Edition (EE): Subscription‑based per‑node, includes AI detector, Safeguard, multi‑region scaling, and 24 / 7 support.
32. How can I request a feature or report a bug?
Feature requests / bugs: Open an issue on the public GitHub repo (github.com/sentinel/kg4-cleaner).
Enterprise customers: Use the Sentinel Support Portal (Ticket ID KG‑CLEAN‑####). SLA: < 4 h for critical, < 24 h for non‑critical.
33. Is there a test‑environment license?
Yes. The EE license includes a “sandbox” token that unlocks all features on a separate “dev” namespace, with a 90‑day expiration that can be renewed at no cost.