- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Why are the scheduled Search results not available...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are the scheduled Search results not available longer than 24 hours?
Hello,
I have a form that I'm using to simplify the process of taking a dashboard and converting it to a scheduled search the user can run periodically. I'm using the Splunk MVC Javascript object to create this and it's working great except that the results are only kept for 24 hours. I did change dispatch.ttl and it is reflected in the savedsearches.conf file for that query, but if I look at the job after the query runs the expiration is still set to 24 hours.
Is there something else that I need to do to make the results persist for longer than 24 hours?
Casey
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could it be that actions are triggered?
•Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
•If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
•the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
•If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
•Defaults to 2p.
Assuming you adjusted the saved searches in the following manner:
Edit your savedsearches.conf file and set the dispatch.ttl value. The default value is 2p which means 2 times longer than the scheduled interval of your search.
savedsearches.conf:
1.<code>[my_very_long_and_intensive_savedsearch_name]
2. ....
3. dispatch.ttl = 10p
4. ....
5.</code>
From the savedsearch.conf docs:
dispatch.ttl = [p]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It does set an email and I do have alert.expires set to 10 days (that's how long they want the data retained for to account for long weekends). Is there something else that I'm just missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, in the alert_actions.conf do you have the ttl section set properly:
ttl = [p]
* Optional argument specifying the minimum time to live (in seconds)
of the search artifacts, if this action is triggered.
* If p follows integer, then integer is the number of scheduled periods.
* If no actions are triggered, the artifacts will have their ttl determined
by the "dispatch.ttl" attribute in savedsearches.conf.
* Defaults to 10p
* Defaults to 86400 (24 hours) for: email, rss
* Defaults to 600 (10 minutes) for: script
* Defaults to 120 (2 minutes) for: summary_index, populate_lookup
I only ask, because by default (as mention in the ttl section) ttl for email artifacts is 24 hours.
•If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
•the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
basically, since you are triggering the email alert action, the the ttl for your saved search is changed to that actions's ttl, in your case email. You should modify the alert_actions.conf
Please refer to the example in the alert_actions.conf.spec documentation, you will see a stanza which refers to email actions ttl:
[email]
# keep the search artifacts around for 24 hours
ttl = 86400
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
