How do I extend the length of time that the results for a saved search are kept? We get the following message:
The search you requested could not be found. The search has probably expired or been deleted. Clicking "Rerun search" will run a new search based on the original......
The problem is this is a very long running search, so how can we get the results to be saved for a longer period of time?
savedsearches.conf file and set the
dispatch.ttl value. The default value is
2p which means 2 times longer than the scheduled interval of your search.
[my_very_long_and_intensive_savedsearch_name] .... dispatch.ttl = 10p ....
From the savedsearch.conf docs:
dispatch.ttl = <integer>[p]
when you're dealing with long-running searches it's better to 'save' the results of them than muck with the TTL. This will mark the job as 'saved' which means the TTL will not apply so the job will never get deleted by the system.
'sent to background' will do this but that literally banishes the search from your UI, which can make it hard to find the job again later. Therefore the easiest way to do this in practice is to choose 'get link to results'. A little message will tell you when you're copying the URL, that the job has been saved and shared. Then you can just keep it running and rest assured that it wont be cancelled. and you'll have a URL in hand which you can save somewhere to come back to later to check on the status of your long running job.
Both answers are very helpful! Thank you! I think this one suits my purposes better for my situation, tho.
This will mark the job as 'saved' which means the TTL will not apply so the job will never get deleted by the system.
'sent to background' will do this but that literally banishes the search from your UI
Has this changed? I'm on Splunk 4.3.2 and when I send a job to the background I see ths message: "Your search job has been backgrounded. To retrieve it, visit this page. Backgrounded jobs expire after 1 week."
And If I visit a backgrounded job after a week I see a page with this message: "The search you requested could not be found. The search has probably expired or been deleted."
Can you elaborate on "sent to background " and "get to link to result" please?where is this sent to background feature?
i have both daily reports and alerts set and i have selected "link to alert and link to results" on edit actions but after a day old reports i am getting this error when i click on view results
"The search has probably expired or been deleted.
Clicking "Rerun search" will run a new search based on the expired search's search string in the expired search's original time period. Alternatively, you can return back to Splunk."
and i get this error when i click on view results on alert email that is older than a day or more
Error in 'SearchOperator:loadjob': Cannot find artifacts for savedsearchident 'schedulerc2V5aHVuLmJhYmFjYW4uY3dAY2FybHlsZS5jb20searchRMD5983d413544d79706at1516821000_25329'.