Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
TOP
Products/Services
Specifications/Technical Information
solution
User stories
support
Seminar content
Evaluation machine application/FAQ
Document request
inquiry
Event/Seminar
video on demand

Retention period for search results

release date
2015-05-05
last updated
2018-11-22
version
Splunk Enterprise 6.3.0
Overview
The retention period for search results depends on how the search was performed and whether an alert action was taken. This section introduces the concept of the retention period and how to change it.
Reference information
content

Retention period for search results

The retention period for search results depends on how the search was performed and whether an alert action was taken.

  • The default retention period for manual searches is 600 seconds.
  • The retention period for scheduled searches (such as running alerts) is by default twice the schedule interval. For example, if the schedule runs every hour, the retention period will be 2 hours.
  • Apart from the above retention period, when an alert action is executed in a scheduled search, the retention period set in the executed alert action will be valid.

Saved search results can be viewed from Activity > Jobs on the top right of the Splunk Web page.

Search results are also saved in the dispatch area ($SPLUNK_HOME/var/run/splunk/dispatch by default).

*For default installation

<Linux>
$SPLUNK_HOME : /opt/splunk
<Windows>
$SPLUNK_HOME : C:\Program Files\splunk

How to change the retention period for scheduled searches

Setting example: When setting a retention period of 100 seconds for the saved search "sample" created by the Search App

[Setting procedure by GUI]

In Splunk Enterprise 6.3.0 and later versions, it is also possible to change the setting value from the GUI.

Changing the settings from the GUI does not require restarting the Splunk service.

  • Open the GUI screen of SplunkWeb.
  • Click Settings > Search, Reports & Alerts from the top right menu.
  • Click "Edit details" from the action column of the search name "sample".
  • Change the value of the "dispatch.ttl" parameter to 100.
    (The default value of 2p means twice the schedule interval)
  • Click "Save" at the top right of the screen.

[Setting procedure by CLI]

If you are using a version prior to Splunk Enterprise 6.3.0, you will need to edit the configuration file directly using the steps below.

  • Add the following settings to one of the following configuration files.
  • If the scheduled search is set to private
    $SPLUNK_HOME/etc/users/username/search/local/savedsearches.conf
  • If you share a scheduled search with your app
    $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf

Entry example:

[sample]
dispatch.ttl = 100

*Enter the search name in [] and the storage period in seconds in dispatch.ttl.

  • After changing the settings, restart the Splunk service.

How to change retention period when alert action is executed

Setting example: When setting a retention period of 100 seconds in the alert action for sending email

  • Add the following settings to one of the following configuration files.
  • When changing the retention period system-wide
    $SPLUNK_HOME/etc/sytem/local/alert_actions.conf
  • When changing the retention period for each App
    $SPLUNK_HOME/etc/apps/<app name>/local/alert_actions.conf

Entry example:

[email]
ttl = 100

*Enter the alert action name in [] and the retention period in seconds in ttl.

*The retention period and parameter name of the scheduled search are different.

  • After changing the settings, restart the Splunk service.

that's all

to previous page