Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I specify a per-search custom ttl for scheduled search artifacts? If so, how?

the_wolverine
Champion
‎06-23-2011 02:20 PM

I have scheduled alerts whose artifacts expire before I can get to them. Can I specify a custom ttl per alert in version 4.1.x?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎10-09-2011 07:22 PM

This is no longer an issue in version 4.2 where one can now specify a ttl per search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎10-09-2011 07:22 PM

This is no longer an issue in version 4.2 where one can now specify a ttl per search.

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-23-2011 06:54 PM

wolverine,

Per 4.1.7 Savedsearches.conf you should be able to specify the 'dispatch.ttl' param.

dispatch.ttl = <integer>[p]
* Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
* If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
* the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
* If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
* Defaults to 2p.
Reply
Solved! Jump to solution

the_wolverine
Champion
‎07-14-2011 09:59 AM

I've had issues with getting this to work. Despite setting "dispatch.ttl = 604800" for specific alerts, I still have search artifacts that report "expired" after a couple of days. I'll file a ticket.

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-24-2011 08:45 AM

Yes. In the case of savedsearches.conf all settings can be set per stanza "saved search" name.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎06-24-2011 08:33 AM

Thank you, Dave. I asked because it is not clear whether this setting can be used on a per-search basis. I'll test it and report back for future reference.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...