Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reduce the Expires of a job to 5 seconds

robertlynch2020
Motivator
‎11-02-2021 10:27 AM

I have a dashboard that I have to do a lot of refreshing on.

This is causing a lot of jobs to happen on my SPunk install.

The first set of jobs run but they are kept by Splunk for 5 minutes (Image below)

How do I get the expired to go to 5 seconds?

robertlynch2020_0-1635873625283.png

I was trying some setting but they are not working for me. Any ideas woud be great thanks

default_save_ttl=5
ttl = 5
remote_ttl = 5
srtemp_dir_ttl = 5
cache_ttl=5

Labels (1)
Labels
0 Karma
Reply

Roy_9
Motivator
‎11-04-2021 08:51 PM

I guess, It isn’t possible to set the job expiry to 5 seconds, by default it would be either 10 minutes or 7 days.

 

0 Karma
Reply

robertlynch2020
Motivator
‎11-05-2021 02:22 AM

Hi - I think that is only fo saved search, i am looking for dashboards.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎11-02-2021 10:10 PM

On a saved search you can set TTL, however the TTL may be changed based oany n alert action.
The TTL within a dashboard would be the default TTL of adhoc searches which is normally 10 minutes.

That said I'm unsure if you can configure TTL for a job created by a dashboard...I mean you can likely hit the REST api to change TTL settings once the search runs or perhaps is running but that isn't an elegant solution... For this idea I would use the <done> if you cannot find a setting.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

robertlynch2020
Motivator
‎11-05-2021 02:29 AM

Hi

At the moment we have written a script that will remove any jobs if we go over 10,000.

However, Splunk still holds onto jobs that I cant remove for a time.

cd $dispatch
count=`ls -lrt | wc -l`

#To get the Indexer machine name
host=`echo "$SPLUNK_HOME" | cut -d"/" -f2` 

if [ $count -gt 10000 ]; then 
	find $dispatch -maxdepth 1 -mmin +3 2>/dev/null | while read job; do if [ ! -e "$job/save" ] ; then rm -rfv $job ; fi ; done  > /dev/null 2>&1
	find $dispatch -type d -empty -name alive.token -mmin +3 2>/dev/null | xargs -i rm -Rf {}  > /dev/null 2>&1
	find $splunkdir/var/run/splunk/ -type f -name "session-*" -mmin +3 2>/dev/null | xargs -i rm -Rf {}  > /dev/null 2>&1
	after_count=`ls -lrt | wc -l`
	echo `date +"%Y-%m-%d %H:%M:%S"`"|$SPLUNK_HOME|$host|$count|$after_count|"
else

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...