Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reduce the Expires of a job to 5 seconds

robertlynch2020
Motivator
‎11-02-2021 10:27 AM

I have a dashboard that I have to do a lot of refreshing on.

This is causing a lot of jobs to happen on my SPunk install.

The first set of jobs run but they are kept by Splunk for 5 minutes (Image below)

How do I get the expired to go to 5 seconds?

robertlynch2020_0-1635873625283.png

I was trying some setting but they are not working for me. Any ideas woud be great thanks

default_save_ttl=5
ttl = 5
remote_ttl = 5
srtemp_dir_ttl = 5
cache_ttl=5

Labels (1)
Labels
0 Karma
Reply

Roy_9
Motivator
‎11-04-2021 08:51 PM

I guess, It isn’t possible to set the job expiry to 5 seconds, by default it would be either 10 minutes or 7 days.

 

0 Karma
Reply

robertlynch2020
Motivator
‎11-05-2021 02:22 AM

Hi - I think that is only fo saved search, i am looking for dashboards.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎11-02-2021 10:10 PM

On a saved search you can set TTL, however the TTL may be changed based oany n alert action.
The TTL within a dashboard would be the default TTL of adhoc searches which is normally 10 minutes.

That said I'm unsure if you can configure TTL for a job created by a dashboard...I mean you can likely hit the REST api to change TTL settings once the search runs or perhaps is running but that isn't an elegant solution... For this idea I would use the <done> if you cannot find a setting.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

robertlynch2020
Motivator
‎11-05-2021 02:29 AM

Hi

At the moment we have written a script that will remove any jobs if we go over 10,000.

However, Splunk still holds onto jobs that I cant remove for a time.

cd $dispatch
count=`ls -lrt | wc -l`

#To get the Indexer machine name
host=`echo "$SPLUNK_HOME" | cut -d"/" -f2` 

if [ $count -gt 10000 ]; then 
	find $dispatch -maxdepth 1 -mmin +3 2>/dev/null | while read job; do if [ ! -e "$job/save" ] ; then rm -rfv $job ; fi ; done  > /dev/null 2>&1
	find $dispatch -type d -empty -name alive.token -mmin +3 2>/dev/null | xargs -i rm -Rf {}  > /dev/null 2>&1
	find $splunkdir/var/run/splunk/ -type f -name "session-*" -mmin +3 2>/dev/null | xargs -i rm -Rf {}  > /dev/null 2>&1
	after_count=`ls -lrt | wc -l`
	echo `date +"%Y-%m-%d %H:%M:%S"`"|$SPLUNK_HOME|$host|$count|$after_count|"
else

 

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...