Solved: Can I specify a per-search custom ttl for schedule...

the_wolverine · ‎06-23-2011

I have scheduled alerts whose artifacts expire before I can get to them. Can I specify a custom ttl per alert in version 4.1.x?

the_wolverine · ‎10-09-2011

This is no longer an issue in version 4.2 where one can now specify a ttl per search.

View solution in original post

the_wolverine · ‎10-09-2011

This is no longer an issue in version 4.2 where one can now specify a ttl per search.

hazekamp · ‎06-23-2011

wolverine,

Per 4.1.7 Savedsearches.conf you should be able to specify the 'dispatch.ttl' param.

dispatch.ttl = <integer>[p]
* Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
* If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
* the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
* If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
* Defaults to 2p.

the_wolverine · ‎07-14-2011

I've had issues with getting this to work. Despite setting "dispatch.ttl = 604800" for specific alerts, I still have search artifacts that report "expired" after a couple of days. I'll file a ticket.

hazekamp · ‎06-24-2011

Yes. In the case of savedsearches.conf all settings can be set per stanza "saved search" name.

the_wolverine · ‎06-24-2011

Thank you, Dave. I asked because it is not clear whether this setting can be used on a per-search basis. I'll test it and report back for future reference.

Can I specify a per-search custom ttl for scheduled search artifacts? If so, how?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes