Splunk Search
Highlighted

Set Expiry Time for a saved Search with an action script

Path Finder

Hi All,

I have a set of saved searches which i have scheduled for run for every 15 min interval.
Each of the saved search triggers a script. By Default , the expiry time of the saved search which triggers a script is 10 min.
But i want to set the expiry time of these saved searches as 1 hr and this setting needs to be set as global.

So if the logged user creates the saved search from any app, the expiry time should be set as 1 hr.

I already created a alert_actions.conf file in the app which i have created and set the following

[script]
ttl = 3600

Setting this will make it only available for that specific app. How can i make it a global setting?

Please share your thoughts and suggestions.

0 Karma
Highlighted

Re: Set Expiry Time for a saved Search with an action script

Champion

setting in etc\system folder will make it global

0 Karma
Highlighted

Re: Set Expiry Time for a saved Search with an action script

Splunk Employee
Splunk Employee

In general you can also do this by setting the ttl globally for all saved searches:

# in $SPLUNK_HOME/etc/system/local/savedsearches.conf
# set default artifact time to live to 1h
dispatch.ttl           = 1h