Alerting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configure triggered alert expiration

edwinmae
Path Finder
‎05-08-2018 02:47 AM

Hi,

Its probably somewhere but I can't see it (find it)

http://docs.splunk.com/Documentation/Splunk/6.6.3/Alert/Updatealerts

There is only the: Trigger Actions / Add Actions / e.g. Add to Triggered Alerts

But if default is 24h and I want to set it to e.g. 7 days, how do I do that?

alt text

--

Thanks in advance

/Edwin

Tags (1)
trigger-alert.png
Preview file
15 KB
Reply

lkeli_spl
Engager
‎12-11-2019 05:16 AM

In Splunk 7.*: Settings -> Searches, reports, and alerts -> Edit -> Advanced Edit -> alert.expiresalt text

alert-expires.jpg
Preview file
23 KB
Reply

markbarber21
Path Finder
‎07-12-2019 07:16 AM

In 7.3, there is now an "Expires" field which can be set in the simple Edit Alert interface. The "Expires" value is only used to determine the TTL when using the "Add to Triggered Alerts" Action Type.

0 Karma
Reply

elliotproebstel
Champion
‎05-08-2018 10:57 AM

I believe this setting is controlled by the value set for ttl in alert_actions.conf. Here's an excerpt:

ttl     = <integer>[p]
* Optional argument specifying the minimum time to live (in seconds)
  of the search artifacts, if this action is triggered.
* If p follows integer, then integer is the number of scheduled periods.
* If no actions are triggered, the artifacts will have their ttl determined
  by the "dispatch.ttl" attribute in savedsearches.conf.
* Defaults to 10p
* Defaults to 86400 (24 hours)   for: email, rss
* Defaults to   600 (10 minutes) for: script
* Defaults to   120 (2 minutes)  for: summary_index, populate_lookup
0 Karma
Reply

JordanPeterson
Path Finder
‎05-08-2018 01:05 PM

to build on this if you don't want to configure these in the .conf file they can be configured by select "Advanced Edit" when you edit the alert from the "Searches, Reports, and Alerts" page. You can then filter by ".ttl"

0 Karma
Reply

edwinmae
Path Finder
‎05-08-2018 09:26 PM

I remember that in the 'past' this could be defined by editing the Alert. I believe that I found the related setting through Advanced Edit (Alert):

alert.expires

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top