Splunk Search

Too many search jobs found in the dispatch directory (found=3079, warning level=2000). This could negatively impact Splunk's performance, consider removing some of the old search jobs.


There is no information on any jobs that can be ran within Splunk to auto remove these stagnant searches. There should be an automation or task that can be setup or schedualed to remove these so there are no longer any messages unless they are started within a specified time frame (which does not seem to exist). Help please it is an annoying message.


There is an automatic way. There is a setting in savedsearchs.conf = dispatch.ttl. Changing this will clean up your searches faster, but you have to do it via the conf file.


dispatch.ttl = <integer>[p]
* Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no
actions are triggered.
* If the integer is followed by the letter 'p' Splunk interprets the ttl as a multiple of the
scheduled search's execution period (e.g. if the search is scheduled to run hourly and ttl is set to 2p
the ttl of the artifacts will be set to 2 hours).
* If an action is triggered Splunk changes the ttl to that action's ttl. If multiple actions are
triggered, Splunk applies the largest action ttl to the artifacts. To set the action's ttl, refer
to alert_actions.conf.spec.
* For more info on search's ttl please see limits.conf.spec [search] ttl
* Defaults to 2p (that is, 2 x the period of the scheduled search).


Thank you will try today.

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...