Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When will ad-hoc search artifacts/results be deleted?

peterschloenske
Explorer
‎09-10-2019 10:39 PM

Hi,

I am wondering when my search artifacts/shown results will be deleted.
Default ttl for ad-hoc searches is 10min. I would expect the results of my opened & completed search to disappear after this time. Currently they don't and the expiration time is updated every time I refresh the jobs manager.

Cheers

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
SplunkTrust
SplunkTrust
‎09-11-2019 02:36 AM

Hi,

Yes, you are correct default ttl for ad-hoc search is 10min but if job is actively viewed in Splunk UI then status.csv file changes mod-time continuously and due to that in Job Manager expire time increase at every time when you refresh job manager & job will not delete from dispatch directory.

ttl = <integer>
* How long, in seconds, the search artifacts should be stored on disk after
  the job completes. The ttl is computed relative to the modtime of the
  status.csv file of the job, if the file exists, or the modtime of the
  artifact directory for the search job.
* If a job is being actively viewed in the Splunk UI then the modtime of
  the status.csv file is constantly updated such that the reaper does not
  remove the job from underneath.
* Default: 600 (10 minutes)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
SplunkTrust
SplunkTrust
‎09-11-2019 02:36 AM

Hi,

Yes, you are correct default ttl for ad-hoc search is 10min but if job is actively viewed in Splunk UI then status.csv file changes mod-time continuously and due to that in Job Manager expire time increase at every time when you refresh job manager & job will not delete from dispatch directory.

ttl = <integer>
* How long, in seconds, the search artifacts should be stored on disk after
  the job completes. The ttl is computed relative to the modtime of the
  status.csv file of the job, if the file exists, or the modtime of the
  artifact directory for the search job.
* If a job is being actively viewed in the Splunk UI then the modtime of
  the status.csv file is constantly updated such that the reaper does not
  remove the job from underneath.
* Default: 600 (10 minutes)
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...