Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

5.0.3.1 -- Scheduled search creating lots of directories in dispatch despite setting expiration to 1s

the_wolverine
Champion
‎05-15-2014 01:40 PM

Conditions:
1) Scheduled search that runs every minute and writes to summary index.

2) Additionally, configured to alert "always" and email to someone@email.address.
3) Expiration set to custom time, 1 second.
4) savedsearches.conf config for this search clearly shows 1s expiration value:

alert.expires = 1s

Expectation -- only 1 (or a few) directories related to this search in dispatch. Its ok if the cleanup job can't run often enough to keep it exactly at 1 second, even a few minutes would be fine.

Observation -- over 1000 directories generated by this scheduled search.

0 Karma
Reply

the_wolverine
Champion
‎05-15-2014 01:42 PM

Suspicion - This scheduled search is affected because it is considered an alert and different ttl applies to the generated "alert" artifacts.

Of more specific suspicion, in etc/system/default/alert_actions.conf:

ttl         = 86400

(86400 seconds = 24 hours)

Or, there's a bug.

Reply

sowings
Splunk Employee
Splunk Employee
‎05-09-2016 09:31 AM

A job which triggers an alert action takes on the TTL of that action.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...