Reporting

Is the timestamp from which the setting value of ttl starts as the report execution time? Or if I check the results of the report on Splunk Web, ttl starts from time of check?

yutaka1005
Builder

I made the following settings in alert_actions.conf.

[email]
#14days
ttl=1209600

And I thought that the expiration date of the report(* alert action is send email) executed at 6/11 AM 8 o'clock was 6/25 AM 8 o'clock.

However, when I check the search activity,
The expiration date was 6/29 16:56.

Then I checked dispatch file again and I found only timestamp of the file generate_preview is 6/15 16:56.(*6/29 16:56 is Just After 14 days from 6/15 16:56.)

With reference to the following materials, I think that this file is updated when checking the report results from the GUI.
https://www.splunk.com/blog/2012/09/10/a-quick-tour-of-a-dispatch-directory.html

In other words, if I checked the report from Splunk Web, is the specification that restarts calculating ttl from that time?
If someone knows about it, please tell me.

0 Karma
1 Solution

yutaka1005
Builder

I found that official documentation mention like below.


The dispatch directory reaper iterates over all of the artifacts every 30 seconds. The reaper deletes artifacts that have expired based, on the last time that the artifacts were accessed and their configured time to live (TTL), or lifetime.

View solution in original post

0 Karma

yutaka1005
Builder

I found that official documentation mention like below.


The dispatch directory reaper iterates over all of the artifacts every 30 seconds. The reaper deletes artifacts that have expired based, on the last time that the artifacts were accessed and their configured time to live (TTL), or lifetime.

0 Karma

rvany
Communicator

Are you sure you set your ttl value in the right stanza? It's just a guess that [email] is only for the email-action itself and not for the underlying report/search. Maybe that's the reason that ttl is not mentioned in the email-stanza in the specs file $SPLUNK_HOME/etc/system/README/alert_actions.conf.spec

0 Karma

yutaka1005
Builder

Oh sorry.
I didn't mention that the report's action is send email.

If the report's action is send email, I'm sure that my setting is right.
Actually, args.txt in dispatch file of the report, it says ttl=1209600.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...