.CONF & SPLUNKLIVE!

How long does my search live? Default search ttl

When talking about dispatch directories, it’s important to understand how long a search lives. After a search expires, its artifacts (contained in the dispatch directory) are deleted. Different types of searches have different default ttl values, counted from when the search completes. Here are some examples:

For a regular ad-hoc or saved search run manually, the default ttl is 10 minutes. A remote search from a peer is also 10 minutes.

Scheduled search ttl varies by the selected alert action, if any. If it has multiple actions, the ttl is that of the longest action. Without an action, the value is determined by dispatch.ttl in savedsearches.conf, which defaults to twice the schedule period.

Here are actions that affect a search’s ttl:

  • Email, rss, tracking: 24 hours
  • Script: 10 minutes
  • Summary indexing, populate lookup: 2 minutes

Some kinds of searches have their own ttl:

  • Show Source (surrounding): 30 seconds
  • subsearch: 5 minutes
  • In the case of subsearches, you will find a dispatch directory for both the subsearch and the search that uses it, and they will have different default ttl values.

    You can change a ttl either by setting an individual value for a search when you save it, set a dispatch.ttl value (either global or for an individual search) in savedsearches.conf or the [search] or [subsearch] stanzas in limits.conf (ttl or remote_ttl in [search] or ttl in [subsearch].) Have a look at the documentation in savedsearches.conf.spec and limits.conf.spec for more on how to specify these values. Most are given in seconds, except for dispatch.ttl which can also specify the number of schedule periods (like “2p”.)

    Splunk
    Posted by

    Splunk

    Join the Discussion