How can I populate a lookup without filling up my ...

proletariat99 · ‎02-08-2016

I run a scheduled search over 100 days that baselines some user behavior and then saves the results off to a lookup.csv. There are 10^10 results, so needless to say, the search results cache is pretty large (in the GB's range). Unfortunately, these cached results are filling up my user queue and then I can't run any other searches. But I don't actually need or want the results cached. They can be discarded immediately upon completion of the query. Does anyone know a way to run this scheduled search (at midnight or whatever), write the results to a lookup file, and then remove the search results from local search head storage?

somesoni2 · ‎02-08-2016

If you've access to your savedsearches.conf where this search is saved, your can set the expiration time for search artifacts (including result cache in dispatch directory) so something lower. The property that you need to set is this.

dispatch.ttl = <integer>[p]
* Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no
  actions are triggered.

See this for more information

http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Savedsearchesconf

How can I populate a lookup without filling up my search queue

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio