Reporting

Problem with saved searches and job ttl

garenilla
Explorer

Hello splunkers,

I'm working with savesearches and jobs ttl and with 2 saved searches that the only thing it changes is the sourcetype, nothing more. With the same configuration in savedsearches.conf for the first one the jobs expires in one day, and for the other one in two minutes. Both searches also have the same cron, run each minute, same window.
The first one has this configuration

[QUERY ONE]
action.alert_impact_equity = 0
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.inline = 1
action.email.sendresults = 1
action.email.subject.report = Query one
action.email.useNSSubject = 1
alert.digest_mode = 0
alert.suppress = 0
alert.track = 1
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = */1 * * * *
description = Description one
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = equity
request.ui_dispatch_view = search
schedule_window = 1
search = THESEARCH

and the other one

[QUERY TWO]
action.alert_impact_equity = 0
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.inline = 1
action.email.sendresults = 1
action.email.subject.report = Query two
action.email.useNSSubject = 1
alert.digest_mode = 0
alert.suppress = 0
alert.track = 1
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = */1 * * * *
description = Description two
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = equity
request.ui_dispatch_view = search
schedule_window = 1
search = THESEARCH

Also, if i edit with the interface, both have the same for the ttl.

alt text

Maybe I'm missing something but why the jobs ttl is different for saved searches with the same configuration?

Thank you for reading!

0 Karma

woodcock
Esteemed Legend

If everything that you are saying is true, then this is definitely a bug and you should open a support ticket.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...