Re: save search results?

jlawsonmers · ‎11-04-2013

Once a search has been created and saved, how does one change the amount of time (number of days, for example) that the results are saved?

lguinn2 · ‎11-04-2013

Look at this answer: Schedule Saved Search Retention which tells you to set

dispatch.ttl = <integer>[p] in the config file savedsearches.conf

However, this will only affect subsequent runs of the saved search. If you want to change the retention of a search that has already been run, you can "save" the search results. This means that the results will never expire, so you will have to manually delete the results when you don't want them any longer.

lguinn2 · ‎11-05-2013

If it isn't there, then Splunk is using the default. So just add the line and see what happens!

jlawsonmers · ‎11-04-2013

In savedsearches.conf, I do not see dispatch.ttl. I do see dispatch.earliest_time and dispatch.latest_time, but these seem to refer to the scope of the search, not the retention of search results. Any other ideas?

jlawsonmers · ‎11-04-2013

No, somesoni2, the search parameters are ok. I'm talking about changing how long the search results are saved.

somesoni2 · ‎11-04-2013

Are you talking about the change in the earliest and latest parameter for saved search??

save search results?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation