Solved: Re: How to set the default search time in Splunk 6...

wpreston · ‎10-14-2013

How can I set the default search time in Splunk 6? I'd prefer for my users to start their searches on the last 7 days instead of all time, but I can't find where to set it at. I tried changing the value for TimeRangePicker in the flashtimeline view to "Last 7 days" then restarting Splunk, but the nothing changed in my view. Below is the change I made:

< module name="TimeRangePicker">
    < param name="selected">Last 7 days< /param>

I made this change to the following views: flashtimeline, charting, dashboard, and dashboard_live. What am I missing?

ChrisG · ‎10-24-2013

Further research yields this better answer:

To do this in Splunk Enterprise 6.0, use ui-prefs.conf. If you set the value in $SPLUNK_HOME/etc/system/local, all your users should see it as the default setting. For example, if your $SPLUNK_HOME/etc/system/local/ui-prefs.conf file includes:

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

The default time range that all users will see in the search app will be today.

The configuration file reference for ui-prefs.conf is here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

We are updating the Search Manual to include this information.

I am leaving the flashtimeline workaround information here in case it's useful to people for other reasons.

View solution in original post

securediversity · ‎04-10-2019

note:

Configuring the dispatch.earliest_time over the UI like shown in the post above

will set the [general_default] stanza in user-prefs.conf (so not in ui-prefs.conf)

(seen/verified in splunk 7.1.6)

mattlucas719 · ‎04-12-2017

you can also make this universal/global by doing an open non-defined bracket like:
make a new app on your DS and drop this in the appname/local/ui-prefs.conf

[]
 dispatch.earliest_time = -61m@m
 dispatch.latest_time = -1m@m

nk-1 · ‎08-04-2016

Splunk v6.4.1 has a UI option that sets that.
Settings, Server settings, Search preferences:
Search Preferences in Splunk v6.4.1

mthierbel · ‎04-22-2014

Keep in mind that the default homepage in Splunk 6.0.2 is actually the launcher app and not the search app, so configuring just the [search] stanza will not change the setting for the homepage.

I was able to get it working in both the search app and the homepage by creating a
$SPLUNK_HOME/etc/system/local/ui-prefs.conf containing these settings:

[search]
dispatch.earliest_time = -24h
dispatch.latest_time = now

[default]
dispatch.earliest_time = -24h
dispatch.latest_time = now

stefanlasiewski · ‎12-01-2014

For my Splunk 6.2.0 server, specifying just the [default] section is enough to specify the default search time for the Search app. I did not need two separate [search] and [default] sections. In addition, I used @d like @ChristG instead of -24h.

[default]
dispatch.earliest_time = @d
dispatch.latest_time = now

stefanlasiewski · ‎12-01-2014

And ironically, setting the [default] section does not actually affect the default launcher app for me, but does affect certain other apps.

dhathaway · ‎05-21-2014

Thanks, this is the info I needed to set the default for all users on both the Search and Home/Launcher pages!

gozulin · ‎05-06-2014

Thank you! This is a much better solution since everybody uses the launcher searchbox as you mention.

ChrisG · ‎10-24-2013

Further research yields this better answer:

To do this in Splunk Enterprise 6.0, use ui-prefs.conf. If you set the value in $SPLUNK_HOME/etc/system/local, all your users should see it as the default setting. For example, if your $SPLUNK_HOME/etc/system/local/ui-prefs.conf file includes:

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

The default time range that all users will see in the search app will be today.

The configuration file reference for ui-prefs.conf is here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

We are updating the Search Manual to include this information.

I am leaving the flashtimeline workaround information here in case it's useful to people for other reasons.

robertlight · ‎04-01-2015

What I am wondering is how can I make the time-frame "sticky"? ie: if the user specifies a timeframe from midnight 12/25/2014 to midnight 12/26/2014 then at all times in the future (until I pick something else) the timeframe will be showing me info for christmas 2014.

Right now, it always switches back to the default....whereas I want it always to be what I specified previously.

stefanlasiewski · ‎12-01-2014

@ChristG -- this only works for the Search app. The vast majority of Splunk users will start off on the default homepage, not the Splunk search app. How could we specify the default search time for all apps? In addition, @mthierbel's solution doesn't work for me either.

mthierbel · ‎12-01-2014

@stefanlasiewski -- I'm surprised applying the setting under [default] is not working for you. Which directory is your ui-prefs.conf in? Are its settings taking effect for the [search] app screen?

stefanlasiewski · ‎12-01-2014

I added the [default] parameter to $SPLUNK_HOME/etc/system/local/ui-prefs.conf and restarted Splunk.

ChrisG · ‎02-12-2014

What I know is in the docs (http://docs.splunk.com/Documentation/Splunk/6.0/Search/Selecttimerangestoapply#Change_the_default_se... "the stanza name needs to match the dashboard ID for that view." If that's not working for you, let me know and I will investigate further.

sowings · ‎02-12-2014

@ChrisG, can you tell me how you selected the name of the stanza in your above example? The docs only mention the special [default] stanza. Is it simply the name of the view?

ChrisG · ‎12-02-2013

Yes, this change will require a restart.

ruiaires · ‎12-02-2013

this did not work for me... does Splunk need to be restarted ?

ChrisG · ‎10-25-2013

Docs are updated: http://docs.splunk.com/Documentation/Splunk/6.0/Search/Selecttimerangestoapply#Change_the_default_se...

wpreston · ‎10-24-2013

Excellent, thank you ChrisG!

ChrisG · ‎10-23-2013

For a workaround, you can enable flashtimeline. You can update the <view> tag in flashtimeline.xml from

<?xml version="1.0"?>
<view onunloadCancelJobs="False" autoCancelInterval="100" isDashboard="False" type="redirect" target="search">
<!-- autoCancelInterval is set here to 100 -->
...

to

<?xml version="1.0"?>
<view onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
...

and then use use /app/search/flashtimeline instead of use /app/search/search

How to set the default search time in Splunk 6?

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability