Dashboards & Visualizations

How to set the default search time in Splunk 6?

wpreston
Motivator

How can I set the default search time in Splunk 6? I'd prefer for my users to start their searches on the last 7 days instead of all time, but I can't find where to set it at. I tried changing the value for TimeRangePicker in the flashtimeline view to "Last 7 days" then restarting Splunk, but the nothing changed in my view. Below is the change I made:

< module name="TimeRangePicker">
    < param name="selected">Last 7 days< /param>

I made this change to the following views: flashtimeline, charting, dashboard, and dashboard_live. What am I missing?

1 Solution

ChrisG
Splunk Employee
Splunk Employee

Further research yields this better answer:

To do this in Splunk Enterprise 6.0, use ui-prefs.conf. If you set the value in $SPLUNK_HOME/etc/system/local, all your users should see it as the default setting. For example, if your $SPLUNK_HOME/etc/system/local/ui-prefs.conf file includes:

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

The default time range that all users will see in the search app will be today.

The configuration file reference for ui-prefs.conf is here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

We are updating the Search Manual to include this information.

I am leaving the flashtimeline workaround information here in case it's useful to people for other reasons.

View solution in original post

securediversity
Explorer

note:

Configuring the dispatch.earliest_time over the UI like shown in the post above

will set the [general_default] stanza in user-prefs.conf (so not in ui-prefs.conf)

(seen/verified in splunk 7.1.6)

0 Karma

mattlucas719
Explorer

you can also make this universal/global by doing an open non-defined bracket like:
make a new app on your DS and drop this in the appname/local/ui-prefs.conf

[]
 dispatch.earliest_time = -61m@m
 dispatch.latest_time = -1m@m
0 Karma

nk-1
Path Finder

Splunk v6.4.1 has a UI option that sets that.
Settings, Server settings, Search preferences:
Search Preferences in Splunk v6.4.1

mthierbel
Explorer

Keep in mind that the default homepage in Splunk 6.0.2 is actually the launcher app and not the search app, so configuring just the [search] stanza will not change the setting for the homepage.

I was able to get it working in both the search app and the homepage by creating a
$SPLUNK_HOME/etc/system/local/ui-prefs.conf containing these settings:

[search]
dispatch.earliest_time = -24h
dispatch.latest_time = now

[default]
dispatch.earliest_time = -24h
dispatch.latest_time = now

stefanlasiewski
Contributor

For my Splunk 6.2.0 server, specifying just the [default] section is enough to specify the default search time for the Search app. I did not need two separate [search] and [default] sections. In addition, I used @d like @ChristG instead of -24h.

[default]
dispatch.earliest_time = @d
dispatch.latest_time = now
0 Karma

stefanlasiewski
Contributor

And ironically, setting the [default] section does not actually affect the default launcher app for me, but does affect certain other apps.

0 Karma

dhathaway
Engager

Thanks, this is the info I needed to set the default for all users on both the Search and Home/Launcher pages!

0 Karma

gozulin
Communicator

Thank you! This is a much better solution since everybody uses the launcher searchbox as you mention.

ChrisG
Splunk Employee
Splunk Employee

Further research yields this better answer:

To do this in Splunk Enterprise 6.0, use ui-prefs.conf. If you set the value in $SPLUNK_HOME/etc/system/local, all your users should see it as the default setting. For example, if your $SPLUNK_HOME/etc/system/local/ui-prefs.conf file includes:

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

The default time range that all users will see in the search app will be today.

The configuration file reference for ui-prefs.conf is here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

We are updating the Search Manual to include this information.

I am leaving the flashtimeline workaround information here in case it's useful to people for other reasons.

robertlight
Path Finder

What I am wondering is how can I make the time-frame "sticky"? ie: if the user specifies a timeframe from midnight 12/25/2014 to midnight 12/26/2014 then at all times in the future (until I pick something else) the timeframe will be showing me info for christmas 2014.

Right now, it always switches back to the default....whereas I want it always to be what I specified previously.

0 Karma

stefanlasiewski
Contributor

@ChristG -- this only works for the Search app. The vast majority of Splunk users will start off on the default homepage, not the Splunk search app. How could we specify the default search time for all apps? In addition, @mthierbel's solution doesn't work for me either.

0 Karma

mthierbel
Explorer

@stefanlasiewski -- I'm surprised applying the setting under [default] is not working for you. Which directory is your ui-prefs.conf in? Are its settings taking effect for the [search] app screen?

0 Karma

stefanlasiewski
Contributor

I added the [default] parameter to $SPLUNK_HOME/etc/system/local/ui-prefs.conf and restarted Splunk.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

What I know is in the docs (http://docs.splunk.com/Documentation/Splunk/6.0/Search/Selecttimerangestoapply#Change_the_default_se... "the stanza name needs to match the dashboard ID for that view." If that's not working for you, let me know and I will investigate further.

0 Karma

sowings
Splunk Employee
Splunk Employee

@ChrisG, can you tell me how you selected the name of the stanza in your above example? The docs only mention the special [default] stanza. Is it simply the name of the view?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Yes, this change will require a restart.

0 Karma

ruiaires
Path Finder

this did not work for me... does Splunk need to be restarted ?

0 Karma

ChrisG
Splunk Employee
Splunk Employee
0 Karma

wpreston
Motivator

Excellent, thank you ChrisG!

0 Karma

ChrisG
Splunk Employee
Splunk Employee

For a workaround, you can enable flashtimeline. You can update the <view> tag in flashtimeline.xml from

<?xml version="1.0"?>
<view onunloadCancelJobs="False" autoCancelInterval="100" isDashboard="False" type="redirect" target="search">
<!-- autoCancelInterval is set here to 100 -->
...

to

<?xml version="1.0"?>
<view onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
...

and then use use /app/search/flashtimeline instead of use /app/search/search

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...