Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you increase the duration that a search sticks around the server?

muebel
SplunkTrust
SplunkTrust
‎10-04-2010 02:59 PM

I have alerts that send email to people. These emails contain a link to the search on the splunk server. Often, when that link is clicked, it seems that the search has expired. How could I increase the time before a search becomes expired?

Reply
1 Solution
Solved! Jump to solution
Solution

ftk
Motivator
‎10-04-2010 03:18 PM

You can adjust the time the saved search results are kept after an alert in the alert_actions.conf.

From alerts_Actions.conf.spec:

ttl     = <int>[p]
 * optional argument specifying the minimum ttl in seconds (or if p follows the number, the number 
 * of scheduled periods) of the search artifact's if this  action is triggered.
 * If no actions are triggered, the artifacts will have their ttl determined by dispatch.ttl (in savedsearches.conf)
 * Defaults to 10p 
 * Defaults to 86400 (24 hours)   for: email, rss
 * Defaults to   600 (10 minutes) for: script 
 * Defaults to   120 (2 minutes)  for: summary_index, populate_lookup

As you can see for email the default ttl duration is 24 hours (86400 seconds). You can increase this as necessary.

View solution in original post

Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎10-04-2010 03:40 PM

Search results are persisted by the amount of periods set for your saved search. For example, if your saved search is supposed to run every 15 minutes, Splunk will persist data for 2 periods times that duration (30 minutes). If you use a scripted alert, that particular data is controlled by a separate setting. For results specific to a saved search, use the following setting under your savedsearches.conf stanza:

dispatch.ttl = <integer>[p]
* Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
* If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
* the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
* If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
* Defaults to 2p.

It is important to note there is a setting for disk quota on a per role basis. This is controlled within the authorize.conf file and is typically set while you are figuring out how many durations you want to store. For example, you will need to increase the diskquota if you plan to persist more artifacts.

Reply
Solved! Jump to solution

ftk
Motivator
‎10-04-2010 04:13 PM

One must note though that since muebel is performing alert actions on his saved searches the dispatch.ttl is replaced by the values in the alert_actions.conf, so changes in savedseraches.conf will be ignored.

0 Karma
Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎10-04-2010 03:18 PM

You can adjust the time the saved search results are kept after an alert in the alert_actions.conf.

From alerts_Actions.conf.spec:

ttl     = <int>[p]
 * optional argument specifying the minimum ttl in seconds (or if p follows the number, the number 
 * of scheduled periods) of the search artifact's if this  action is triggered.
 * If no actions are triggered, the artifacts will have their ttl determined by dispatch.ttl (in savedsearches.conf)
 * Defaults to 10p 
 * Defaults to 86400 (24 hours)   for: email, rss
 * Defaults to   600 (10 minutes) for: script 
 * Defaults to   120 (2 minutes)  for: summary_index, populate_lookup

As you can see for email the default ttl duration is 24 hours (86400 seconds). You can increase this as necessary.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...