Solved: Saving alert artifacts for longer periods of time.

horsefez · ‎08-09-2016

Hi fellow splunkers,

I have some sheduled alerts in my instance and I get a notification via email if one of the alert triggers.
The email includes a link to the results. Sadly this link expires after 2 days (?).

I have read about dispatch.ttl and other ttl values already, but have no clue how to extend the time a search artifact is valid.

How could I be able to set the expiration date of these links much higer?

Thanks in advance!

Best regards,
pyro_wood

sjohnson_splunk · ‎08-09-2016

When you create the saved search and schedule it in the web UI, there is a an expiration dropdown which allows you to change the ttl.

View solution in original post

isreis · ‎10-06-2016

The ttl is very important set if you want to get the alert or scheduled report to remain more than standard time.
conf at alerts.conf
ttl = [p]
* Optional argument specifying the minimum time to live (in seconds)
of the search artifacts, if this action is triggered.
* If p follows integer, then integer is the number of scheduled periods.
* If no actions are triggered, the artifacts will have their ttl determined
by the "dispatch.ttl" attribute in savedsearches.conf.

Defaults to 10p
Defaults to 86400 (24 hours) for: email, rss
Defaults to 600 (10 minutes) for: script
Defaults to 120 (2 minutes) for: summary_index, populate_lookup

for additional information please visit this link for alert - http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Alertactionsconf
and for saved searches ttl scheduled reports please visit this link : https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Savedsearchesconf

dispatch search options:

dispatch.ttl = [p]
* Indicates the time to live (in seconds) for the artifacts of the scheduled
search, if no actions are triggered.
* If the integer is followed by the letter 'p' Splunk interprets the ttl as a
multiple of the scheduled search's execution period (e.g. if the search is
scheduled to run hourly and ttl is set to 2p the ttl of the artifacts will be
set to 2 hours).
* If an action is triggered Splunk changes the ttl to that action's ttl. If
multiple actions are triggered, Splunk applies the largest action ttl to the
artifacts. To set the action's ttl, refer to alert_actions.conf.spec.
* For more info on search's ttl please see limits.conf.spec [search] ttl
* Defaults to 2p (that is, 2 x the period of the scheduled search).

sjohnson_splunk · ‎08-09-2016

When you create the saved search and schedule it in the web UI, there is a an expiration dropdown which allows you to change the ttl.

horsefez · ‎08-10-2016

Thanks, wasn't aware of it!

inventsekar · ‎08-09-2016

$SPLUNK_HOME/etc/system/default/alert_actions.conf OR $SPLUNK_HOME/etc/system/local/alert_actions.conf
in this file, do you have any value for "ttl"?!?

$SPLUNK_HOME/etc/system/default/savedsearches.conf OR
$SPLUNK_HOME/etc/system/local/savedsearches.conf
got any values for dispatch.ttl?

horsefez · ‎08-09-2016

No, there aren't any values set.
Which value is vor what purpose?
Which value should I set?

Saving alert artifacts for longer periods of time.

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk