Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

saved search results expiration time

dhaffner
Path Finder
‎06-03-2010 01:27 PM

How do I extend the length of time that the results for a saved search are kept? We get the following message:

The search you requested could not be found. The search has probably expired or been deleted. Clicking "Rerun search" will run a new search based on the original......

The problem is this is a very long running search, so how can we get the results to be saved for a longer period of time?

Thanks!

Tags (1)
Reply
2 Solutions
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-03-2010 01:51 PM

Edit your savedsearches.conf file and set the dispatch.ttl value. The default value is 2p which means 2 times longer than the scheduled interval of your search.

savedsearches.conf:

[my_very_long_and_intensive_savedsearch_name]
 ....
 dispatch.ttl = 10p
 ....

From the savedsearch.conf docs:

dispatch.ttl = <integer>[p]

  • Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
  • If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
  • the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
  • If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
  • Defaults to 2p.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-03-2010 05:21 PM

when you're dealing with long-running searches it's better to 'save' the results of them than muck with the TTL. This will mark the job as 'saved' which means the TTL will not apply so the job will never get deleted by the system.

'sent to background' will do this but that literally banishes the search from your UI, which can make it hard to find the job again later. Therefore the easiest way to do this in practice is to choose 'get link to results'. A little message will tell you when you're copying the URL, that the job has been saved and shared. Then you can just keep it running and rest assured that it wont be cancelled. and you'll have a URL in hand which you can save somewhere to come back to later to check on the status of your long running job.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-03-2010 05:21 PM

when you're dealing with long-running searches it's better to 'save' the results of them than muck with the TTL. This will mark the job as 'saved' which means the TTL will not apply so the job will never get deleted by the system.

'sent to background' will do this but that literally banishes the search from your UI, which can make it hard to find the job again later. Therefore the easiest way to do this in practice is to choose 'get link to results'. A little message will tell you when you're copying the URL, that the job has been saved and shared. Then you can just keep it running and rest assured that it wont be cancelled. and you'll have a URL in hand which you can save somewhere to come back to later to check on the status of your long running job.

Reply
Solved! Jump to solution

carlyleadmin
Contributor
‎01-26-2018 08:12 AM

Can you elaborate on "sent to background " and "get to link to result" please?where is this sent to background feature?

i have both daily reports and alerts set and i have selected "link to alert and link to results" on edit actions but after a day old reports i am getting this error when i click on view results

"The search has probably expired or been deleted.

Clicking "Rerun search" will run a new search based on the expired search's search string in the expired search's original time period. Alternatively, you can return back to Splunk."

and i get this error when i click on view results on alert email that is older than a day or more

Error in 'SearchOperator:loadjob': Cannot find artifacts for savedsearch_ident 'scheduler_c2V5aHVuLmJhYmFjYW4uY3dAY2FybHlsZS5jb20_search_RMD5983d413544d79706_at_1516821000_25329'.

0 Karma
Reply
Solved! Jump to solution

sansay
Contributor
‎04-12-2013 03:01 PM

That is my experience as well and we are on 4.3.3

0 Karma
Reply
Solved! Jump to solution

Jordan_Brough
Path Finder
‎08-24-2012 07:32 AM

This will mark the job as 'saved' which means the TTL will not apply so the job will never get deleted by the system.
'sent to background' will do this but that literally banishes the search from your UI

Has this changed? I'm on Splunk 4.3.2 and when I send a job to the background I see ths message: "Your search job has been backgrounded. To retrieve it, visit this page. Backgrounded jobs expire after 1 week."

And If I visit a backgrounded job after a week I see a page with this message: "The search you requested could not be found. The search has probably expired or been deleted."

0 Karma
Reply
Solved! Jump to solution

dhaffner
Path Finder
‎06-17-2010 08:21 PM

Both answers are very helpful! Thank you! I think this one suits my purposes better for my situation, tho.
Thanks again!

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-03-2010 01:51 PM

Edit your savedsearches.conf file and set the dispatch.ttl value. The default value is 2p which means 2 times longer than the scheduled interval of your search.

savedsearches.conf:

[my_very_long_and_intensive_savedsearch_name]
 ....
 dispatch.ttl = 10p
 ....

From the savedsearch.conf docs:

dispatch.ttl = <integer>[p]

  • Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
  • If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
  • the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
  • If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
  • Defaults to 2p.
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...