Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Set Expiry Time for Saved Scheduled Search Results to 7 days

Polarbear
Engager
‎05-28-2024 10:51 PM

I have a scheduled job that runs every month, storing monthly report and sending an email with the search results.

This setup works well, but I've encountered a problem: the search results expire after 24 hours.

it will show me the search has probably expired or deleted.

How can i set to 7 days  to prevent expired?

Labels (1)
Labels
0 Karma
Reply

deepakc
Builder
‎05-28-2024 11:24 PM

If you click - go into to the saved search, there is a setting called 'Job Settings',  in there is another setting called 'lifetime', this has a setting of 10 minutes or 7 days, perhaps this will help you.  

Reply

Polarbear
Engager
‎05-28-2024 11:41 PM

Thank you for your reply!

Is the "lifetime" setting permanent, or does it need to be configured every time? If it's not permanent, is there any way to set it permanently for saved searches

Tags (1)
0 Karma
Reply

deepakc
Builder
‎05-29-2024 01:32 AM

It looks like you can (not someting I've done as I normally use the default, so worth try it)

From what I gather you can edit for savedsearch.conf file and under your named saved search stanza and add the dispatch.ttl setting

Example

/opt/splunk/etc/my_app/local/savedsaearch.conf

[my_saved_search]
dispatch.ttl = 604800

Have a look at this link

https://docs.splunk.com/Documentation/Splunk/9.2.1/Search/Extendjoblifetimes

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...