Reporting

Saving alert artifacts for longer periods of time.

SplunkTrust
SplunkTrust

Hi fellow splunkers,

I have some sheduled alerts in my instance and I get a notification via email if one of the alert triggers.
The email includes a link to the results. Sadly this link expires after 2 days (?).

I have read about dispatch.ttl and other ttl values already, but have no clue how to extend the time a search artifact is valid.


How could I be able to set the expiration date of these links much higer?

Thanks in advance!

Best regards,
pyro_wood

0 Karma
1 Solution

Splunk Employee
Splunk Employee

When you create the saved search and schedule it in the web UI, there is a an expiration dropdown which allows you to change the ttl.

View solution in original post

Explorer

The ttl is very important set if you want to get the alert or scheduled report to remain more than standard time.
conf at alerts.conf
ttl = [p]
* Optional argument specifying the minimum time to live (in seconds)
of the search artifacts, if this action is triggered.
* If p follows integer, then integer is the number of scheduled periods.
* If no actions are triggered, the artifacts will have their ttl determined
by the "dispatch.ttl" attribute in savedsearches.conf.

  • Defaults to 10p
  • Defaults to 86400 (24 hours) for: email, rss
  • Defaults to 600 (10 minutes) for: script
  • Defaults to 120 (2 minutes) for: summaryindex, populatelookup

for additional information please visit this link for alert - http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Alertactionsconf
and for saved searches ttl scheduled reports please visit this link : https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Savedsearchesconf

dispatch search options:

dispatch.ttl = [p]
* Indicates the time to live (in seconds) for the artifacts of the scheduled
search, if no actions are triggered.
* If the integer is followed by the letter 'p' Splunk interprets the ttl as a
multiple of the scheduled search's execution period (e.g. if the search is
scheduled to run hourly and ttl is set to 2p the ttl of the artifacts will be
set to 2 hours).
* If an action is triggered Splunk changes the ttl to that action's ttl. If
multiple actions are triggered, Splunk applies the largest action ttl to the
artifacts. To set the action's ttl, refer to alert_actions.conf.spec.
* For more info on search's ttl please see limits.conf.spec [search] ttl
* Defaults to 2p (that is, 2 x the period of the scheduled search).

Splunk Employee
Splunk Employee

When you create the saved search and schedule it in the web UI, there is a an expiration dropdown which allows you to change the ttl.

View solution in original post

SplunkTrust
SplunkTrust

Thanks, wasn't aware of it!

0 Karma

Champion

$SPLUNKHOME/etc/system/default/alertactions.conf OR $SPLUNKHOME/etc/system/local/alertactions.conf
in this file, do you have any value for "ttl"?!?

$SPLUNKHOME/etc/system/default/savedsearches.conf OR
$SPLUNK
HOME/etc/system/local/savedsearches.conf
got any values for dispatch.ttl?

0 Karma

SplunkTrust
SplunkTrust

No, there aren't any values set.
Which value is vor what purpose?
Which value should I set?

0 Karma