I have written a tiny Java app to run a query and retrieve the results of that query, saving them to a file. Our Splunk system is totally overloaded, so it takes quite a while for this to happen. In fact, so long that the default TTL for the job expires at some random point during result retrieval. Right now, the only way I found to manipulate the TTL is to set it to a different value at job creation. Thus, I now set it to some arbitrarily large value (>6 hours). This means that I have to manually delete the job once my app is done running (since I don't want to wait >5 hours to clear the space in use).
I'd like to handle all of this more gracefully, but to do so need to know how to do the following ... I can not find documentation explaining how to do these, thus this question:
Extend TTL on an existing job
The solution is actually rather simple ... use an export search, which avoids all of the headaches of ttl and size of result set.
The solution is actually rather simple ... use an export search, which avoids all of the headaches of ttl and size of result set.