Extend Job TTL Globally

tmontney · ‎07-15-2021

This article states how to change the TTL for a saved search individually: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Search/Extendjoblifetimes I want to change the default TTL of any and all saved searches. Otherwise, I and my team have to remember to change this for each new search we save.

codebuilder · ‎07-15-2021

You can accomplish this by adding a [default] stanza to savedsearches.conf and adding dispatch.ttl = your_value_here under it. Where your_value_here = time to live in seconds.

At the application level, Include the updated savedsearches.conf in $SPLUNK_HOME/etc/apps/<app_name>/local

For a system level change place savedsearches.conf at $SPLUNK_HOME/etc/system/local. Though this is NOT recommended.

Documentation is here under 'dispatch search options' :
https://docs.splunk.com/Documentation/DFS/1.1.2/DFS/Savedsearchesconf

----
An upvote would be appreciated and Accept Solution if it helps!

codebuilder · ‎07-15-2021

Also, if you do add dispatch.ttl to a [default] stanza, then you would need to remove that setting from individual search stanzas as those would override what's in default.

----
An upvote would be appreciated and Accept Solution if it helps!

Extend Job TTL Globally

configuration

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...