Splunk® Enterprise

Search Manual

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Extending job lifetimes

When you run a new search job, the job is retained in the system for a period of time, called the job lifetime. During the lifetime, you can access the job and view the data returned by the job. If the job is not accessed within the specified lifetime, the job expires and is removed from the system.

There are two lifetime settings, 10 minutes and 7 days. The lifetime starts from the moment the job is run.

Default job lifetimes

The default lifetime for a search job depends on whether the search job is an artifact of an unscheduled or scheduled search.

For example, dashboard panels that are based on an inline search, use unscheduled searches. Panels that are based on a report, use saved searches. The saved search can be unscheduled or scheduled.

Default lifetimes for unscheduled searches

When you run an ad hoc search and the search is finalized or completes on its own, the resulting search job has a default lifetime of 10 minutes. Other knowledge objects, such as real-time alerts and panels based on inline searches that use unscheduled searches have the same default lifetime.

Default lifetimes for scheduled searches

Scheduled searches launch search jobs on a regular interval. By default, these jobs are retained for the interval of the scheduled search multiplied by two. For example, if the search runs every 6 hours, the resulting jobs expire in 12 hours.

Automatic lifetime extensions

Whenever you access an active job, such as when you view the results of a search job, the lifetime is reset. The reset happens whether the job lifespan is 10 minutes or 7 days. Here are a few examples of how this works.

  • If the lifetime is set to 10 minutes and you run the search job at 11:00 AM, the job lifetime is set to end at 11:10 AM. If you run the job again at 11:07 AM, the job lifetime is reset to end at 11:17 AM.
  • If you set the lifetime for a job to 7 days and then access the job 4 days later, the job lifetime is reset and will not expire for another 7 days from the current day and time.

Changing the lifetime for the current job

You change the lifetime setting for the current ad hoc search job in the Search app.

  1. Select the Job drop-down.
  2. Select Edit Job Settings to display the Job Settings.
  3. For Lifetime, select either 10 Minutes or 7 Days.

Changing the lifetime for active jobs

You can't change the lifetimes for jobs resulting from previously run unscheduled or scheduled searches. You can only change the lifetimes for active search jobs. See Manage search jobs.

Expired jobs

After the job lifetime ends, the job expires and is deleted from the system.

It is possible that while you are looking at the list of jobs that a job will expire. When you try to extend the lifetime of the expired job, a message appears explaining that the job no longer exists. You cannot extend the lifetime of an expired job.

Changing the default lifetime values

You can change the default value for the job lifetime for unscheduled and scheduled searches.

Change the default lifetime value for unscheduled searches

You can change the default value for the job lifetime for unscheduled searches.

Splunk Cloud Platform
To change the default value for the job lifetime for unscheduled searches, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
Splunk Enterprise
Prerequisites
  • Only users with file system access, such as system administrators, can change the default lifetime values.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.

  1. Open the local limits.conf file for the Search app. For example, $SPLUNK_HOME/etc/apps/<app_name>/local.
  2. In the [search] stanza, change the default_save_ttl value to a number that is appropriate for your needs. The acronym TTL is an abbreviation for "time to live." The default_save_ttl setting measures search job time to live in seconds, and defaults to 604800 seconds, or one week.

Change the default lifetime value for scheduled searches

You can change the default lifetime for jobs resulting from a specific scheduled search.

Splunk Cloud Platform
You can use Splunk Web to make this change.
Prerequisites
  • Only system administrators with the sc_admin role should change default lifetime values.
  • Review the information about the dispatch.ttl setting in the Dispatch search options section of the Savedsearches.conf.spec file in the Admin Manual.
Steps:
  1. Select Settings > Searches, Reports, and Alerts.
  2. Locate the name of the scheduled search in the list.
  3. In the Actions column, select Edit, Advanced Edit.
  4. Locate the dispatch.ttl setting. The default setting is 2p.
  5. Change the setting, based on the information provided in the savedsearches.conf.spec file.
Splunk Enterprise
You can change this default either through Splunk Web, as described previously for Splunk Cloud Platform, or through the configuration files.
Prerequisites

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.

Steps:
  1. Open the local savedsearches.conf file. For example, $SPLUNK_HOME/etc/apps/<app_name>/local.
  2. Locate the scheduled search, and change the dispatch.ttl setting to a different interval multiple.
Last modified on 13 June, 2023
About jobs and job management   Share jobs and export results

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters