Alerting
Highlighted

Can I specify a per-search custom ttl for scheduled search artifacts? If so, how?

Champion

I have scheduled alerts whose artifacts expire before I can get to them. Can I specify a custom ttl per alert in version 4.1.x?

0 Karma
Highlighted

Re: Can I specify a per-search custom ttl for scheduled search artifacts? If so, how?

Builder

wolverine,

Per 4.1.7 Savedsearches.conf you should be able to specify the 'dispatch.ttl' param.

dispatch.ttl = <integer>[p]
* Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
* If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
* the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
* If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
* Defaults to 2p.
Highlighted

Re: Can I specify a per-search custom ttl for scheduled search artifacts? If so, how?

Champion

Thank you, Dave. I asked because it is not clear whether this setting can be used on a per-search basis. I'll test it and report back for future reference.

0 Karma
Highlighted

Re: Can I specify a per-search custom ttl for scheduled search artifacts? If so, how?

Builder

Yes. In the case of savedsearches.conf all settings can be set per stanza "saved search" name.

0 Karma
Highlighted

Re: Can I specify a per-search custom ttl for scheduled search artifacts? If so, how?

Champion

I've had issues with getting this to work. Despite setting "dispatch.ttl = 604800" for specific alerts, I still have search artifacts that report "expired" after a couple of days. I'll file a ticket.

0 Karma
Highlighted

Re: Can I specify a per-search custom ttl for scheduled search artifacts? If so, how?

Champion

This is no longer an issue in version 4.2 where one can now specify a ttl per search.

View solution in original post

0 Karma