Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Configure triggered alert expiration

edwinmae
Path Finder
‎05-08-2018 02:47 AM

Hi,

Its probably somewhere but I can't see it (find it)

http://docs.splunk.com/Documentation/Splunk/6.6.3/Alert/Updatealerts

There is only the: Trigger Actions / Add Actions / e.g. Add to Triggered Alerts

But if default is 24h and I want to set it to e.g. 7 days, how do I do that?

alt text

--

Thanks in advance

/Edwin

Tags (1)
Preview file
15 KB
Reply

lkeli_spl
Engager
‎12-11-2019 05:16 AM

In Splunk 7.*: Settings -> Searches, reports, and alerts -> Edit -> Advanced Edit -> alert.expiresalt text

Preview file
23 KB
Reply

markbarber21
Path Finder
‎07-12-2019 07:16 AM

In 7.3, there is now an "Expires" field which can be set in the simple Edit Alert interface. The "Expires" value is only used to determine the TTL when using the "Add to Triggered Alerts" Action Type.

0 Karma
Reply

elliotproebstel
Champion
‎05-08-2018 10:57 AM

I believe this setting is controlled by the value set for ttl in alert_actions.conf. Here's an excerpt:

ttl     = <integer>[p]
* Optional argument specifying the minimum time to live (in seconds)
  of the search artifacts, if this action is triggered.
* If p follows integer, then integer is the number of scheduled periods.
* If no actions are triggered, the artifacts will have their ttl determined
  by the "dispatch.ttl" attribute in savedsearches.conf.
* Defaults to 10p
* Defaults to 86400 (24 hours)   for: email, rss
* Defaults to   600 (10 minutes) for: script
* Defaults to   120 (2 minutes)  for: summary_index, populate_lookup
0 Karma
Reply

JordanPeterson
Path Finder
‎05-08-2018 01:05 PM

to build on this if you don't want to configure these in the .conf file they can be configured by select "Advanced Edit" when you edit the alert from the "Searches, Reports, and Alerts" page. You can then filter by ".ttl"

0 Karma
Reply

edwinmae
Path Finder
‎05-08-2018 09:26 PM

I remember that in the 'past' this could be defined by editing the Alert. I believe that I found the related setting through Advanced Edit (Alert):

alert.expires

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...