I have alerts that send email to people. These emails contain a link to the search on the splunk server. Often, when that link is clicked, it seems that the search has expired. How could I increase the time before a search becomes expired?
You can adjust the time the saved search results are kept after an alert in the alert_actions.conf.
From alerts_Actions.conf.spec:
ttl = <int>[p]
* optional argument specifying the minimum ttl in seconds (or if p follows the number, the number
* of scheduled periods) of the search artifact's if this action is triggered.
* If no actions are triggered, the artifacts will have their ttl determined by dispatch.ttl (in savedsearches.conf)
* Defaults to 10p
* Defaults to 86400 (24 hours) for: email, rss
* Defaults to 600 (10 minutes) for: script
* Defaults to 120 (2 minutes) for: summary_index, populate_lookup
As you can see for email the default ttl duration is 24 hours (86400 seconds). You can increase this as necessary.
Search results are persisted by the amount of periods set for your saved search. For example, if your saved search is supposed to run every 15 minutes, Splunk will persist data for 2 periods times that duration (30 minutes). If you use a scripted alert, that particular data is controlled by a separate setting. For results specific to a saved search, use the following setting under your savedsearches.conf stanza:
dispatch.ttl = <integer>[p]
* Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
* If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
* the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
* If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
* Defaults to 2p.
It is important to note there is a setting for disk quota on a per role basis. This is controlled within the authorize.conf file and is typically set while you are figuring out how many durations you want to store. For example, you will need to increase the diskquota if you plan to persist more artifacts.
One must note though that since muebel is performing alert actions on his saved searches the dispatch.ttl is replaced by the values in the alert_actions.conf, so changes in savedseraches.conf will be ignored.
You can adjust the time the saved search results are kept after an alert in the alert_actions.conf.
From alerts_Actions.conf.spec:
ttl = <int>[p]
* optional argument specifying the minimum ttl in seconds (or if p follows the number, the number
* of scheduled periods) of the search artifact's if this action is triggered.
* If no actions are triggered, the artifacts will have their ttl determined by dispatch.ttl (in savedsearches.conf)
* Defaults to 10p
* Defaults to 86400 (24 hours) for: email, rss
* Defaults to 600 (10 minutes) for: script
* Defaults to 120 (2 minutes) for: summary_index, populate_lookup
As you can see for email the default ttl duration is 24 hours (86400 seconds). You can increase this as necessary.