product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
Retention period for search results
- release date
- 2015-05-05
- last updated
- 2018-11-22
- version
- Splunk Enterprise 6.3.0
- Overview
- The retention period for search results depends on how the search was performed and whether an alert action was taken. This section introduces the concept of the retention period and how to change it.
- Reference information
- content
-
Retention period for search results
The retention period for search results depends on how the search was performed and whether an alert action was taken.
- The default retention period for manual searches is 600 seconds.
- The retention period for scheduled searches (such as running alerts) is by default twice the schedule interval. For example, if the schedule runs every hour, the retention period will be 2 hours.
- Apart from the above retention period, when an alert action is executed in a scheduled search, the retention period set in the executed alert action will be valid.
Saved search results can be viewed from Activity > Jobs on the top right of the Splunk Web page.
Search results are also saved in the dispatch area ($SPLUNK_HOME/var/run/splunk/dispatch by default).
*For default installation
<Linux>
$SPLUNK_HOME : /opt/splunk
<Windows>
$SPLUNK_HOME : C:\Program Files\splunkHow to change the retention period for scheduled searches
Setting example: When setting a retention period of 100 seconds for the saved search "sample" created by the Search App
[Setting procedure by GUI]
In Splunk Enterprise 6.3.0 and later versions, it is also possible to change the setting value from the GUI.
Changing the settings from the GUI does not require restarting the Splunk service.
- Open the GUI screen of SplunkWeb.
- Click Settings > Search, Reports & Alerts from the top right menu.
- Click "Edit details" from the action column of the search name "sample".
- Change the value of the "dispatch.ttl" parameter to 100.
(The default value of 2p means twice the schedule interval) - Click "Save" at the top right of the screen.
[Setting procedure by CLI]
If you are using a version prior to Splunk Enterprise 6.3.0, you will need to edit the configuration file directly using the steps below.
- Add the following settings to one of the following configuration files.
- If the scheduled search is set to private
$SPLUNK_HOME/etc/users/username/search/local/savedsearches.conf - If you share a scheduled search with your app
$SPLUNK_HOME/etc/apps/search/local/savedsearches.conf
Entry example:
[sample]
dispatch.ttl = 100*Enter the search name in [] and the storage period in seconds in dispatch.ttl.
- After changing the settings, restart the Splunk service.
How to change retention period when alert action is executed
Setting example: When setting a retention period of 100 seconds in the alert action for sending email
- Add the following settings to one of the following configuration files.
- When changing the retention period system-wide
$SPLUNK_HOME/etc/sytem/local/alert_actions.conf - When changing the retention period for each App
$SPLUNK_HOME/etc/apps/<app name>/local/alert_actions.conf
Entry example:
[email]
ttl = 100*Enter the alert action name in [] and the retention period in seconds in ttl.
*The retention period and parameter name of the scheduled search are different.
- After changing the settings, restart the Splunk service.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30