What is the difference between Splunk's TTL settin...

sat94541 · ‎12-20-2016

There are several TTL (Time To Live). Can you tell us what the difference is between these and do these refer to the time the search has to live/execute or the search results?

· defaultSaveTTL
· defaultTTL
· eai:acl.ttl
· ttl

rbal_splunk · ‎12-20-2016

Below I have research for these TTL of Splunk

i)defaultTTL: This is the default ttl value of how long the search artifact artifact should be extended in response to the save control action, in second. 0 = indefinitely. Defaults to 604800 (1 week). This is defined in
----limits.conf----
default_save_ttl =
* How long the ttl for a search artifact should be extended in response to the
save control action, in second. 0 = indefinitely.
* Defaults to 604800 (1 week)

ii) defaultTTL : this seems to be defined from alert_actions.conf===
ttl = [p]
* Optional argument specifying the minimum time to live (in seconds)
of the search artifacts, if this action is triggered.
* If p follows integer, then integer is the number of scheduled periods.
* If no actions are triggered, the artifacts will have their ttl determined
by the "dispatch.ttl" attribute in savedsearches.conf.
* Defaults to 10p
* Defaults to 86400 (24 hours) for: email, rss
* Defaults to 600 (10 minutes) for: script
* Defaults to 120 (2 minutes) for: summary_index, populate_lookup

iii) eai:acl.ttl : this shows the value that Job selected based on it is is adhoc search , alert with action email , summary index etc.

iv) ttl : this is changing value like counter and it continually decrease indicating the time left until the search artifact Expires

What is the difference between Splunk's TTL settings?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases