- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- When I clicked "view results" on alert mail, "The ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I set an alert that works everyday and sends mail.
Today I clicekd "view results" on alert mail, then "The search you requested could not be found." message was showed in display.
But I didn't delete search job manually.
And not much time has passed since the alert has started.
Why did this search job expire?
I hope someone can tell me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seems you have encountered a known issue SPL-132078
https://docs.splunk.com/Documentation/Splunk/6.6.4/ReleaseNotes/KnownIssues#Saved_search.2C_alerting...
If above is not correct then try this
Edit your savedsearches.conf file and set the dispatch.ttl value. The default value is 2p which means 2 times longer than the scheduled interval of your search.
savedsearches.conf:
<code>[my_very_long_and_intensive_savedsearch_name]
....
dispatch.ttl = 10p
....
</code>
From the savedsearch.conf docs:
dispatch.ttl = <integer>[p]
Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
Defaults to 2p.
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you edit the alert in Settings->Searches, reports, and alerts, scroll down to the section titled Alert, and in that section you will find a setting for Expiration. I was just looking at an alert I created a while ago (which as I recall I left this setting default) and it shows an expiration of "After 6 hours" (How long Splunk keeps a record of each triggered alert). If the time between the alert being triggered and your clicking on the link in the emailed alert is greater than this value, the alert will not be available to view.
Your choices here are 6, 12, and 24 hours; 2 days and 7 days, or you can set a custom time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please let me know what exactly do you mean by custom time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seems you have encountered a known issue SPL-132078
https://docs.splunk.com/Documentation/Splunk/6.6.4/ReleaseNotes/KnownIssues#Saved_search.2C_alerting...
If above is not correct then try this
Edit your savedsearches.conf file and set the dispatch.ttl value. The default value is 2p which means 2 times longer than the scheduled interval of your search.
savedsearches.conf:
<code>[my_very_long_and_intensive_savedsearch_name]
....
dispatch.ttl = 10p
....
</code>
From the savedsearch.conf docs:
dispatch.ttl = <integer>[p]
Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
Defaults to 2p.
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for answer mayurr98.
When this event occurred, I configured the schedule to 5 minute intervals. Moreover, I did not change the period of dispatch.ttl from the default, so I think that this event occurred.
It was very helpful!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
which splunk version are you using?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for comment mayurr98!
I'm using Splunk version 6.6.4.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seems like a known issue OR bug
I think you can see Activity -> Triggered alerts dropdown. However, if you click on the RSS link in Settings -> Search and Reports I get an error page?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
