Hello splunkers,
I'm working with savesearches and jobs ttl and with 2 saved searches that the only thing it changes is the sourcetype, nothing more. With the same configuration in savedsearches.conf for the first one the jobs expires in one day, and for the other one in two minutes. Both searches also have the same cron, run each minute, same window.
The first one has this configuration
[QUERY ONE]
action.alert_impact_equity = 0
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.inline = 1
action.email.sendresults = 1
action.email.subject.report = Query one
action.email.useNSSubject = 1
alert.digest_mode = 0
alert.suppress = 0
alert.track = 1
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = */1 * * * *
description = Description one
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = equity
request.ui_dispatch_view = search
schedule_window = 1
search = THESEARCH
and the other one
[QUERY TWO]
action.alert_impact_equity = 0
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.inline = 1
action.email.sendresults = 1
action.email.subject.report = Query two
action.email.useNSSubject = 1
alert.digest_mode = 0
alert.suppress = 0
alert.track = 1
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = */1 * * * *
description = Description two
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = equity
request.ui_dispatch_view = search
schedule_window = 1
search = THESEARCH
Also, if i edit with the interface, both have the same for the ttl.
![alt text][1]
Maybe I'm missing something but why the jobs ttl is different for saved searches with the same configuration?
Thank you for reading!
[1]: /storage/temp/267619-capture.jpg
↧