Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I make my alert artifacts stick around longer?

MonkeyK
Builder
‎11-20-2017 03:26 PM

I need search results involved in alerts to be available for a longer period of time than they are now (currently, nobody on my team seems to get to the alert in time to see the alerting event).

I know that this question was asked before:

https://answers.splunk.com/answers/440040/saving-alert-artifacts-for-longer-periods-of-time.html

However, I cannot make that solution work. The solution is supposed to be that I run the alter search and set its job settings to have a longer lifetime. When I do that the setting reverts to 10m the next time I open the alert search up.

in my saved search listing, I do notice that there is an advanced edit with 600+ values, including 30 ttl value. Is one of those values the right thing to set?

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎11-20-2017 04:33 PM

You should setting attribute dispatch.ttl

dispatch.ttl = <integer>[p]
* Indicates the time to live (in seconds) for the artifacts of the scheduled
  search, if no actions are triggered.
* If the integer is followed by the letter 'p' Splunk interprets the ttl as a
  multiple of the scheduled search's execution period (e.g. if the search is
  scheduled to run hourly and ttl is set to 2p the ttl of the artifacts will be
  set to 2 hours).
* If an action is triggered Splunk changes the ttl to that action's ttl. If
  multiple actions are triggered, Splunk applies the largest action ttl to the
  artifacts. To set the action's ttl, refer to alert_actions.conf.spec.
* For more info on search's ttl please see limits.conf.spec [search] ttl
* Defaults to 2p (that is, 2 x the period of the scheduled search).
0 Karma
Reply

MonkeyK
Builder
‎11-20-2017 07:46 PM

Well then, something must be wrong.
in advanced edit, I had found
"dispatch.ttl" and set its value to 259200, (3 days). The search jobs seem as if they stay for 3 days: I can see create and expire dates like this:
Nov 20, 2017 9:20:01 PM Nov 23, 2017 9:20:04 PM

And yet I was alerted today at 12:20, the alert link (from the email) says "Page not found!" and the alert page says "There are no fired events for this alert." While job listing has the alert search job from 12:20 in which I can see the triggering event. So its as if the alert artifact has a shorter life than the alert serach.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...