Re: Is there a way to set the job TTL to a differe...

bohrasaurabh · ‎08-05-2014

Is there a way to set the job ttl to a different value for a saved search?

woodcock · ‎03-14-2023

You can also use "| noop set_ttl = <NumberOfSecondsHere>"

guilmxm · ‎08-14-2014

bohrasaurabh gave you the answer, edit your search (in savedsearches.conf) As a line like:

dispatch.ttl = 3600

Note that the time is in seconds

bhawkins1 · ‎02-03-2017

Note that you can also specify the value as [0-9]+p, e.g. dispatch.ttl = 7p - this means "save 7 versions of the saved search".

You can then use old searches with, for example | loadjob savedsearch="x:y:z" artifact_offset=3

somesoni2 · ‎08-05-2014

This will help.
http://docs.splunk.com/Documentation/Splunk/6.1.2/Knowledge/SupervisejobswiththeJobspage#Search_job_...

bohrasaurabh · ‎08-05-2014

dispatch.ttl for savedsearch is different from jobs ttl. my understanding is jobs ttl defines how long the job will be in jobs activity.

risgupta_splunk · ‎09-20-2016

Yes, the TTL setting for the alert overrides the setting in savedsearches.conf, but you should set the TTL in both places. The TTL in alert_actions.conf only applies if an alert is triggered, otherwise the TTL in savedsearches.conf applies.

In both places, you can use the p notation or just the number of seconds to save.

There are also settings for TTL in limits.conf, but those only apply to ad hoc searches.

somesoni2 · ‎08-05-2014

I guess you can update savedsearches.conf file for that saved search and set the dispatch.ttl to your configured value. Is that what you're looking for?

Is there a way to set the job TTL to a different value for a saved search?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...