Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is the timestamp from which the setting value of ttl starts as the report execution time? Or if I check the results of the report on Splunk Web, ttl starts from time of check?

yutaka1005
Builder
‎06-26-2018 01:47 AM

I made the following settings in alert_actions.conf.

[email]
#14days
ttl=1209600

And I thought that the expiration date of the report(* alert action is send email) executed at 6/11 AM 8 o'clock was 6/25 AM 8 o'clock.

However, when I check the search activity,
The expiration date was 6/29 16:56.

Then I checked dispatch file again and I found only timestamp of the file generate_preview is 6/15 16:56.(*6/29 16:56 is Just After 14 days from 6/15 16:56.)

With reference to the following materials, I think that this file is updated when checking the report results from the GUI.
https://www.splunk.com/blog/2012/09/10/a-quick-tour-of-a-dispatch-directory.html

In other words, if I checked the report from Splunk Web, is the specification that restarts calculating ttl from that time?
If someone knows about it, please tell me.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yutaka1005
Builder
‎06-27-2018 12:07 AM

I found that official documentation mention like below.

The dispatch directory reaper iterates over all of the artifacts every 30 seconds. The reaper deletes artifacts that have expired based, on the last time that the artifacts were accessed and their configured time to live (TTL), or lifetime.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yutaka1005
Builder
‎06-27-2018 12:07 AM

I found that official documentation mention like below.

The dispatch directory reaper iterates over all of the artifacts every 30 seconds. The reaper deletes artifacts that have expired based, on the last time that the artifacts were accessed and their configured time to live (TTL), or lifetime.

0 Karma
Reply
Solved! Jump to solution

rvany
Communicator
‎06-26-2018 05:50 AM

Are you sure you set your ttl value in the right stanza? It's just a guess that [email] is only for the email-action itself and not for the underlying report/search. Maybe that's the reason that ttl is not mentioned in the email-stanza in the specs file $SPLUNK_HOME/etc/system/README/alert_actions.conf.spec

0 Karma
Reply
Solved! Jump to solution

yutaka1005
Builder
‎06-26-2018 11:58 PM

Oh sorry.
I didn't mention that the report's action is send email.

If the report's action is send email, I'm sure that my setting is right.
Actually, args.txt in dispatch file of the report, it says ttl=1209600.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...