Reporting

When I clicked "view results" on alert mail, "The search you requested could not be found." message was showed in display.

Builder

I set an alert that works everyday and sends mail.

Today I clicekd "view results" on alert mail, then "The search you requested could not be found." message was showed in display.

But I didn't delete search job manually.
And not much time has passed since the alert has started.
Why did this search job expire?

I hope someone can tell me.

Labels (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

seems you have encountered a known issue SPL-132078
https://docs.splunk.com/Documentation/Splunk/6.6.4/ReleaseNotes/KnownIssues#Saved_search.2C_alerting...

If above is not correct then try this

Edit your savedsearches.conf file and set the dispatch.ttl value. The default value is 2p which means 2 times longer than the scheduled interval of your search.

savedsearches.conf:

<code>[my_very_long_and_intensive_savedsearch_name]
 ....
 dispatch.ttl = 10p
 ....
</code>

From the savedsearch.conf docs:

dispatch.ttl = <integer>[p]

Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
Defaults to 2p.

let me know if this helps!

View solution in original post

0 Karma

Motivator

If you edit the alert in Settings->Searches, reports, and alerts, scroll down to the section titled Alert, and in that section you will find a setting for Expiration. I was just looking at an alert I created a while ago (which as I recall I left this setting default) and it shows an expiration of "After 6 hours" (How long Splunk keeps a record of each triggered alert). If the time between the alert being triggered and your clicking on the link in the emailed alert is greater than this value, the alert will not be available to view.

Your choices here are 6, 12, and 24 hours; 2 days and 7 days, or you can set a custom time.

0 Karma

New Member

Can you please let me know what exactly do you mean by custom time?

0 Karma

SplunkTrust
SplunkTrust

seems you have encountered a known issue SPL-132078
https://docs.splunk.com/Documentation/Splunk/6.6.4/ReleaseNotes/KnownIssues#Saved_search.2C_alerting...

If above is not correct then try this

Edit your savedsearches.conf file and set the dispatch.ttl value. The default value is 2p which means 2 times longer than the scheduled interval of your search.

savedsearches.conf:

<code>[my_very_long_and_intensive_savedsearch_name]
 ....
 dispatch.ttl = 10p
 ....
</code>

From the savedsearch.conf docs:

dispatch.ttl = <integer>[p]

Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
Defaults to 2p.

let me know if this helps!

View solution in original post

0 Karma

Builder

Thank you for answer mayurr98.

When this event occurred, I configured the schedule to 5 minute intervals. Moreover, I did not change the period of dispatch.ttl from the default, so I think that this event occurred.

It was very helpful!

0 Karma

SplunkTrust
SplunkTrust

which splunk version are you using?

0 Karma

Builder

Thank you for comment mayurr98!

I'm using Splunk version 6.6.4.

0 Karma

SplunkTrust
SplunkTrust

seems like a known issue OR bug
I think you can see Activity -> Triggered alerts dropdown. However, if you click on the RSS link in Settings -> Search and Reports I get an error page?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!