I made the following settings in alert_actions.conf
.
[email]
#14days
ttl=1209600
And I thought that the expiration date of the report(* alert action is send email) executed at 6/11 AM 8 o'clock
was 6/25 AM 8 o'clock
.
However, when I check the search activity,
The expiration date was 6/29 16:56
.
Then I checked dispatch file again and I found only timestamp of the file generate_preview
is 6/15 16:56
.(*6/29 16:56
is Just After 14 days from 6/15 16:56
.)
With reference to the following materials, I think that this file is updated when checking the report results from the GUI.
https://www.splunk.com/blog/2012/09/10/a-quick-tour-of-a-dispatch-directory.html
In other words, if I checked the report from Splunk Web, is the specification that restarts calculating ttl from that time?
If someone knows about it, please tell me.
I found that official documentation mention like below.
I found that official documentation mention like below.
Are you sure you set your ttl value in the right stanza? It's just a guess that [email]
is only for the email-action itself and not for the underlying report/search. Maybe that's the reason that ttl
is not mentioned in the email
-stanza in the specs file $SPLUNK_HOME/etc/system/README/alert_actions.conf.spec
Oh sorry.
I didn't mention that the report's action is send email.
If the report's action is send email, I'm sure that my setting is right.
Actually, args.txt
in dispatch
file of the report, it says ttl=1209600
.