I made the following settings in `alert_actions.conf`.
[email]
#14days
ttl=1209600
And I thought that the expiration date of the report executed at `6/11 AM 8 o'clock` was `6/25 AM 8 o'clock`.
However, when I check the search activity,
The expiration date was `6/29 16:56`.
Then I checked dispatch file again and I found only timestamp of the file `generate_preview` is `6/15 16:56`.(*`6/29 16:56` is Just After 14 days from `6/15 16:56`.)
With reference to the following materials, I think that this file is updated when checking the report results from the GUI.
https://www.splunk.com/blog/2012/09/10/a-quick-tour-of-a-dispatch-directory.html
In other words, if I checked the report from Splunk Web, is the specification that restarts calculating ttl from that time?
If someone knows about it, please tell me.
↧
