I set an alert that works everyday and sends mail.
Today I clicekd "view results" on alert mail, then "The search you requested could not be found." message was showed in display.
But I didn't delete search job manually.
And not much time has passed since the alert has started.
Why did this search job expire?
I hope someone can tell me.
seems you have encountered a known issue SPL-132078
https://docs.splunk.com/Documentation/Splunk/6.6.4/ReleaseNotes/KnownIssues#Saved_search.2C_alerting...
If above is not correct then try this
Edit your savedsearches.conf
file and set the dispatch.ttl
value. The default value is 2p
which means 2 times longer than the scheduled interval of your search.
savedsearches.conf:
<code>[my_very_long_and_intensive_savedsearch_name]
....
dispatch.ttl = 10p
....
</code>
From the savedsearch.conf docs:
dispatch.ttl = <integer>[p]
Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
Defaults to 2p.
let me know if this helps!
If you edit the alert in Settings->Searches, reports, and alerts, scroll down to the section titled Alert, and in that section you will find a setting for Expiration. I was just looking at an alert I created a while ago (which as I recall I left this setting default) and it shows an expiration of "After 6 hours" (How long Splunk keeps a record of each triggered alert). If the time between the alert being triggered and your clicking on the link in the emailed alert is greater than this value, the alert will not be available to view.
Your choices here are 6, 12, and 24 hours; 2 days and 7 days, or you can set a custom time.
Can you please let me know what exactly do you mean by custom time?
seems you have encountered a known issue SPL-132078
https://docs.splunk.com/Documentation/Splunk/6.6.4/ReleaseNotes/KnownIssues#Saved_search.2C_alerting...
If above is not correct then try this
Edit your savedsearches.conf
file and set the dispatch.ttl
value. The default value is 2p
which means 2 times longer than the scheduled interval of your search.
savedsearches.conf:
<code>[my_very_long_and_intensive_savedsearch_name]
....
dispatch.ttl = 10p
....
</code>
From the savedsearch.conf docs:
dispatch.ttl = <integer>[p]
Time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
If an action is triggered the ttl is changed to that actions's ttl, if multiple actions are triggered
the maximum ttl is applied to the artifacts. For setting action's ttl refer to alert_actions.conf.spec
If the integer is followed by the letter 'p' the ttl is interpreted as a multiple of the scheduled search's period.
Defaults to 2p.
let me know if this helps!
Thank you for answer mayurr98.
When this event occurred, I configured the schedule to 5 minute intervals. Moreover, I did not change the period of dispatch.ttl from the default, so I think that this event occurred.
It was very helpful!
which splunk version are you using?
Thank you for comment mayurr98!
I'm using Splunk version 6.6.4.
seems like a known issue OR bug
I think you can see Activity -> Triggered alerts dropdown. However, if you click on the RSS link in Settings -> Search and Reports I get an error page?