Extend Job TTL Globally

tmontney · ‎07-15-2021

This article states how to change the TTL for a saved search individually: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Search/Extendjoblifetimes I want to change the default TTL of any and all saved searches. Otherwise, I and my team have to remember to change this for each new search we save.

codebuilder · ‎07-15-2021

You can accomplish this by adding a [default] stanza to savedsearches.conf and adding dispatch.ttl = your_value_here under it. Where your_value_here = time to live in seconds.

At the application level, Include the updated savedsearches.conf in $SPLUNK_HOME/etc/apps/<app_name>/local

For a system level change place savedsearches.conf at $SPLUNK_HOME/etc/system/local. Though this is NOT recommended.

Documentation is here under 'dispatch search options' :
https://docs.splunk.com/Documentation/DFS/1.1.2/DFS/Savedsearchesconf

----
An upvote would be appreciated and Accept Solution if it helps!

codebuilder · ‎07-15-2021

Also, if you do add dispatch.ttl to a [default] stanza, then you would need to remove that setting from individual search stanzas as those would override what's in default.

----
An upvote would be appreciated and Accept Solution if it helps!

Extend Job TTL Globally

configuration

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk