Extend Job TTL Globally

tmontney · ‎07-15-2021

This article states how to change the TTL for a saved search individually: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Search/Extendjoblifetimes I want to change the default TTL of any and all saved searches. Otherwise, I and my team have to remember to change this for each new search we save.

codebuilder · ‎07-15-2021

You can accomplish this by adding a [default] stanza to savedsearches.conf and adding dispatch.ttl = your_value_here under it. Where your_value_here = time to live in seconds.

At the application level, Include the updated savedsearches.conf in $SPLUNK_HOME/etc/apps/<app_name>/local

For a system level change place savedsearches.conf at $SPLUNK_HOME/etc/system/local. Though this is NOT recommended.

Documentation is here under 'dispatch search options' :
https://docs.splunk.com/Documentation/DFS/1.1.2/DFS/Savedsearchesconf

----
An upvote would be appreciated and Accept Solution if it helps!

codebuilder · ‎07-15-2021

Also, if you do add dispatch.ttl to a [default] stanza, then you would need to remove that setting from individual search stanzas as those would override what's in default.

----
An upvote would be appreciated and Accept Solution if it helps!

Extend Job TTL Globally

configuration

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms