Alerting

Can I change the duration of expiration for "link to results" in Alert mail?

suchi01
New Member

I have created an Alert and configured it to "Triggered Alerts" and "Send email".
I want the "link to results" sent in email, to expire after 60 days. Is it possible to change the expiry duration of email link?
If yes , how could I do so?

I have tried changing from:- Settings > Searches,Reports&Alerts > (Alert-name) > Advanced Edit > alert.expires. Tried setting "alert expires" to 5 mins but the link did not expire in 5 mins.

I also tried changing ttl value under [email] stanza in alert_actions.conf, but this as well did not work.

Please suggest some method to change expiration duration of email link to view results.

Also I want to add one more link in email directing to a dashboard displaying total alerts generated.
How could I add a "link to dashboard" in the mail along with the already present "link to results" of current alert?

0 Karma

Vijeta
Influencer

@suchi01- This may be helpful from Splunk documentation https://docs.splunk.com/Documentation/Splunk/8.0.1/Alert/Updatealerts

Update triggered alert record lifespans
By default, each triggered alert record on the Triggered Alerts page expires after 24 hours. You can update the lifespans for triggered alert records on a per-alert basis.

Here are steps for updating the lifespans of the triggered alert records for a specific alert. These steps apply only to alerts that have the "Add to Triggered Alerts" action enabled.

From the top-level navigation bar, select Settings > Searches, reports, and alerts.
(Optional) Select Type > Alerts to filter the list so it displays only alerts.
Locate the alert that you want to modify under Name.
Select Edit > Edit Alert.
Define the lifespan of the triggered alert record by setting the Expires field.
Enter an integer and select a time unit from the dropdown. For example, to have all triggered alert records for this alert have a three-day lifespan, enter 3 and select day(s).
Click Save.
0 Karma

suchi01
New Member

Hi,

I am really thankful for your kind gesture to reply , but the issue with my case is I am using splunk 6.6.3 version and I could not locate the expires field in edit alert option.

Can you suggest something for splunk version 6.6.3

0 Karma

Vijeta
Influencer

Hi @suchi01
In the same documentation link you can change version to 6.6.3, it gives you alert.expire option to set the expiration. See below -

Configure triggered alert expiration
By default, each alert trigger record on the Triggered Alerts page expires after seven days. Here are steps for updating triggered alert expiration. These steps apply only to alerts with the "Add to Triggered Alerts" action enabled.

    From the top-level navigation bar, select Settings > Searches, reports, and alerts.
    Locate the alert that you want to modify under Search Name.
    Select Advanced Edit.
    Scroll down to alert.expires.
    Enter an integer and specify one of the following units: seconds (s), minutes (m), hours (h), days (d). 
    For example, to set the alert to expire in 3 days, specify 3d.
    Click Save.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...