Solved: Do the resulting files from a "dump" command have ...

actionabledata · ‎06-06-2022

Do the resulting files from a "dump" command have a TTL? I think they must since the files I created on Friday no longer exist.

Here is the search I am using to create the files.

index = “myIndexName” sourcetype=”mySourcetype” myFilterField IN(123ABC, 456DEF, 789GHI)
| dump basefilename= ABCCorp_06-06-22_0800_01330_ rollsize=1000 compress=5 format=raw
| table *

Thank you.

actionabledata · ‎06-10-2022

Thanks Jamie.

Yeah, I saw that and made the same assumptions but couldn't find a definitive answer. Through a few not-so-scientific experiments, I found the TTL to be longer than 15 min but less than 3 hrs ... but the files DO go away.

Thanks, Greg (ActionableData)

View solution in original post

jamie00171 · ‎06-08-2022

Hi @actionabledata

Based on where the documentation: https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Dump#Usage

states they are stored: "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump/

I'd assume they have the same TTL as the rest of the search artifacts which is believe is 15 minutes by default for an ad-hoc search or 2 times the scheduled period for a savedsearch.

Thanks,

Jamie

actionabledata · ‎06-10-2022

Thanks Jamie.

Yeah, I saw that and made the same assumptions but couldn't find a definitive answer. Through a few not-so-scientific experiments, I found the TTL to be longer than 15 min but less than 3 hrs ... but the files DO go away.

Thanks, Greg (ActionableData)

Do the resulting files from a "dump" command have a TTL?

other

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...