Splunk Search

How do you increase the duration that a search sticks around the server?

muebel
SplunkTrust
SplunkTrust

I have alerts that send email to people. These emails contain a link to the search on the splunk server. Often, when that link is clicked, it seems that the search has expired. How could I increase the time before a search becomes expired?

1 Solution

ftk
Motivator

You can adjust the time the saved search results are kept after an alert in the alert_actions.conf.

From alerts_Actions.conf.spec:

ttl     = <int>[p]
 * optional argument specifying the minimum ttl in seconds (or if p follows the number, the number 
 * of scheduled periods) of the search artifact's if this  action is triggered.
 * If no actions are triggered, the artifacts will have their ttl determined by dispatch.ttl (in savedsearches.conf)
 * Defaults to 10p 
 * Defaults to 86400 (24 hours)   for: email, rss
 * Defaults to   600 (10 minutes) for: script 
 * Defaults to   120 (2 minutes)  for: summary_index, populate_lookup 

As you can see for email the default ttl duration is 24 hours (86400 seconds). You can increase this as necessary.

View solution in original post

Simeon
Splunk Employee
Splunk Employee

Search results are persisted by the amount of periods set for your saved search. For example, if your saved search is supposed to run every 15 minutes, Splunk will persist data for 2 periods times that duration (30 minutes). If you use a scripted alert, that particular data is controlled by a separate setting. For results specific to a saved search, use the following setting under your savedsearches.conf stanza:

dispatch.ttl = <integer>[p]
* Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
* If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
* the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
* If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
* Defaults to 2p.

It is important to note there is a setting for disk quota on a per role basis. This is controlled within the authorize.conf file and is typically set while you are figuring out how many durations you want to store. For example, you will need to increase the diskquota if you plan to persist more artifacts.

ftk
Motivator

One must note though that since muebel is performing alert actions on his saved searches the dispatch.ttl is replaced by the values in the alert_actions.conf, so changes in savedseraches.conf will be ignored.

0 Karma

ftk
Motivator

You can adjust the time the saved search results are kept after an alert in the alert_actions.conf.

From alerts_Actions.conf.spec:

ttl     = <int>[p]
 * optional argument specifying the minimum ttl in seconds (or if p follows the number, the number 
 * of scheduled periods) of the search artifact's if this  action is triggered.
 * If no actions are triggered, the artifacts will have their ttl determined by dispatch.ttl (in savedsearches.conf)
 * Defaults to 10p 
 * Defaults to 86400 (24 hours)   for: email, rss
 * Defaults to   600 (10 minutes) for: script 
 * Defaults to   120 (2 minutes)  for: summary_index, populate_lookup 

As you can see for email the default ttl duration is 24 hours (86400 seconds). You can increase this as necessary.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...