Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you save reports for long term access?

kbb
Engager
‎10-26-2011 10:54 AM

Once reports or saved results are saved, how long are they accessible from the "jobs" page? In the users manual in the "saving reports" section it states "Selecting Get link... automatically saves your report job, which you can access thereafter through the Jobs page". How long is "thereafter"? If you save the results of a report can those be archived elsewhere?

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎10-27-2011 01:18 AM

Once a search job is saved, it is saved forever. It is possible, though, for the Splunk admin to clean out old search jobs. And anyone who has "write" permissions to the search job can delete it as well.

Splunk doesn't actually save the report - it saves a logical list of the events in the search result. This is part of the "artifacts" of a search job. The artifacts are stored in this directory, and each search job has its own subdirectoy:

$SPLUNK_HOME/var/run/splunk/dispatch

I suppose that you could archive this directory if you wanted to archive your search results. However, it might be easier to export your search results and save that instead...

0 Karma
Reply

Jordan_Brough
Path Finder
‎08-24-2012 07:22 AM

Is this still true? I just now did a "Save & Share Results" on a search job and when I inspect the job in the job inspector I see a TTL of 1 week. And in the past I have seen search jobs disappear after some time (I assume it was one week).

0 Karma
Reply
Get Updates on the Splunk Community!

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...