Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

5.0.3.1 -- Scheduled search creating lots of directories in dispatch despite setting expiration to 1s

the_wolverine
Champion
‎05-15-2014 01:40 PM

Conditions:
1) Scheduled search that runs every minute and writes to summary index.

2) Additionally, configured to alert "always" and email to someone@email.address.
3) Expiration set to custom time, 1 second.
4) savedsearches.conf config for this search clearly shows 1s expiration value:

alert.expires = 1s

Expectation -- only 1 (or a few) directories related to this search in dispatch. Its ok if the cleanup job can't run often enough to keep it exactly at 1 second, even a few minutes would be fine.

Observation -- over 1000 directories generated by this scheduled search.

0 Karma
Reply

the_wolverine
Champion
‎05-15-2014 01:42 PM

Suspicion - This scheduled search is affected because it is considered an alert and different ttl applies to the generated "alert" artifacts.

Of more specific suspicion, in etc/system/default/alert_actions.conf:

ttl         = 86400

(86400 seconds = 24 hours)

Or, there's a bug.

Reply

sowings
Splunk Employee
Splunk Employee
‎05-09-2016 09:31 AM

A job which triggers an alert action takes on the TTL of that action.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...