Reporting

Is the timestamp from which the setting value of ttl starts as the report execution time? Or if I check the results of the report on Splunk Web, ttl starts from time of check?

Builder

I made the following settings in alert_actions.conf.

[email]
#14days
ttl=1209600

And I thought that the expiration date of the report(* alert action is send email) executed at 6/11 AM 8 o'clock was 6/25 AM 8 o'clock.

However, when I check the search activity,
The expiration date was 6/29 16:56.

Then I checked dispatch file again and I found only timestamp of the file generate_preview is 6/15 16:56.(*6/29 16:56 is Just After 14 days from 6/15 16:56.)

With reference to the following materials, I think that this file is updated when checking the report results from the GUI.
https://www.splunk.com/blog/2012/09/10/a-quick-tour-of-a-dispatch-directory.html

In other words, if I checked the report from Splunk Web, is the specification that restarts calculating ttl from that time?
If someone knows about it, please tell me.

0 Karma
1 Solution

Builder

I found that official documentation mention like below.


The dispatch directory reaper iterates over all of the artifacts every 30 seconds. The reaper deletes artifacts that have expired based, on the last time that the artifacts were accessed and their configured time to live (TTL), or lifetime.

View solution in original post

0 Karma

Builder

I found that official documentation mention like below.


The dispatch directory reaper iterates over all of the artifacts every 30 seconds. The reaper deletes artifacts that have expired based, on the last time that the artifacts were accessed and their configured time to live (TTL), or lifetime.

View solution in original post

0 Karma

Communicator

Are you sure you set your ttl value in the right stanza? It's just a guess that [email] is only for the email-action itself and not for the underlying report/search. Maybe that's the reason that ttl is not mentioned in the email-stanza in the specs file $SPLUNK_HOME/etc/system/README/alert_actions.conf.spec

0 Karma

Builder

Oh sorry.
I didn't mention that the report's action is send email.

If the report's action is send email, I'm sure that my setting is right.
Actually, args.txt in dispatch file of the report, it says ttl=1209600.

0 Karma