Alerting

Configure triggered alert expiration

edwinmae
Path Finder

Hi,

Its probably somewhere but I can't see it (find it)

http://docs.splunk.com/Documentation/Splunk/6.6.3/Alert/Updatealerts

There is only the: Trigger Actions / Add Actions / e.g. Add to Triggered Alerts

But if default is 24h and I want to set it to e.g. 7 days, how do I do that?

alt text

--

Thanks in advance

/Edwin

Tags (1)
0 Karma

lkeli_spl
Engager

In Splunk 7.*: Settings -> Searches, reports, and alerts -> Edit -> Advanced Edit -> alert.expiresalt text

0 Karma

markbarber21
Path Finder

In 7.3, there is now an "Expires" field which can be set in the simple Edit Alert interface. The "Expires" value is only used to determine the TTL when using the "Add to Triggered Alerts" Action Type.

0 Karma

elliotproebstel
Champion

I believe this setting is controlled by the value set for ttl in alert_actions.conf. Here's an excerpt:

ttl     = <integer>[p]
* Optional argument specifying the minimum time to live (in seconds)
  of the search artifacts, if this action is triggered.
* If p follows integer, then integer is the number of scheduled periods.
* If no actions are triggered, the artifacts will have their ttl determined
  by the "dispatch.ttl" attribute in savedsearches.conf.
* Defaults to 10p
* Defaults to 86400 (24 hours)   for: email, rss
* Defaults to   600 (10 minutes) for: script
* Defaults to   120 (2 minutes)  for: summary_index, populate_lookup
0 Karma

JordanPeterson
Path Finder

to build on this if you don't want to configure these in the .conf file they can be configured by select "Advanced Edit" when you edit the alert from the "Searches, Reports, and Alerts" page. You can then filter by ".ttl"

0 Karma

edwinmae
Path Finder

I remember that in the 'past' this could be defined by editing the Alert. I believe that I found the related setting through Advanced Edit (Alert):

alert.expires

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...