Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When will ad-hoc search artifacts/results be deleted?

peterschloenske
Explorer
‎09-10-2019 10:39 PM

Hi,

I am wondering when my search artifacts/shown results will be deleted.
Default ttl for ad-hoc searches is 10min. I would expect the results of my opened & completed search to disappear after this time. Currently they don't and the expiration time is updated every time I refresh the jobs manager.

Cheers

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎09-11-2019 02:36 AM

Hi,

Yes, you are correct default ttl for ad-hoc search is 10min but if job is actively viewed in Splunk UI then status.csv file changes mod-time continuously and due to that in Job Manager expire time increase at every time when you refresh job manager & job will not delete from dispatch directory.

ttl = <integer>
* How long, in seconds, the search artifacts should be stored on disk after
  the job completes. The ttl is computed relative to the modtime of the
  status.csv file of the job, if the file exists, or the modtime of the
  artifact directory for the search job.
* If a job is being actively viewed in the Splunk UI then the modtime of
  the status.csv file is constantly updated such that the reaper does not
  remove the job from underneath.
* Default: 600 (10 minutes)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎09-11-2019 02:36 AM

Hi,

Yes, you are correct default ttl for ad-hoc search is 10min but if job is actively viewed in Splunk UI then status.csv file changes mod-time continuously and due to that in Job Manager expire time increase at every time when you refresh job manager & job will not delete from dispatch directory.

ttl = <integer>
* How long, in seconds, the search artifacts should be stored on disk after
  the job completes. The ttl is computed relative to the modtime of the
  status.csv file of the job, if the file exists, or the modtime of the
  artifact directory for the search job.
* If a job is being actively viewed in the Splunk UI then the modtime of
  the status.csv file is constantly updated such that the reaper does not
  remove the job from underneath.
* Default: 600 (10 minutes)
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...