Can i have an example for this please ..I need the following times to be used with the timepicker ..
last 30 min
last 60 min
last 24 hrs
last 7 days
last 10 days
how can i define them .. Once you gone through the documention..can you please post a answer for my question ..
Well, from the documentation, for 30 minutes you'd have a stanza such as:
label = Last 30 minutes
header_label = in the last 30 minutes
earliest_time = -30m
You would change this stanza to match what times you want. Please see the times.conf documentation for more information. I don't see a way to remove them.
To disable all of the defaults (you'd have to provide your own full list), use
[default] disabled = True
To just disable a single one of the defaults, replace its disabled flag in your own copy of times.conf by creating a matching stanza, then setting disabled = true:
[last_30_days] disabled = True
Your own times.conf should go in the local/ subfolder of your custom app.
The default is in
$SPLUNK_HOME/etc/system/default/times.conf. You will want to copy that to
$SPLUNK_HOME/etc/system/local/times.conf and make your changes there. If your question has been satisfactorily answered, please accept the answer.