Once a search has been created and saved, how does one change the amount of time (number of days, for example) that the results are saved?
Look at this answer: Schedule Saved Search Retention which tells you to set
dispatch.ttl = <integer>[p]
in the config file savedsearches.conf
However, this will only affect subsequent runs of the saved search. If you want to change the retention of a search that has already been run, you can "save" the search results. This means that the results will never expire, so you will have to manually delete the results when you don't want them any longer.
If it isn't there, then Splunk is using the default. So just add the line and see what happens!
In savedsearches.conf, I do not see dispatch.ttl. I do see dispatch.earliest_time and dispatch.latest_time, but these seem to refer to the scope of the search, not the retention of search results. Any other ideas?
No, somesoni2, the search parameters are ok. I'm talking about changing how long the search results are saved.
Are you talking about the change in the earliest and latest parameter for saved search??