Dashboards & Visualizations

How to set the default search time in Splunk 6?

Motivator

How can I set the default search time in Splunk 6? I'd prefer for my users to start their searches on the last 7 days instead of all time, but I can't find where to set it at. I tried changing the value for TimeRangePicker in the flashtimeline view to "Last 7 days" then restarting Splunk, but the nothing changed in my view. Below is the change I made:

< module name="TimeRangePicker">
    < param name="selected">Last 7 days< /param>

I made this change to the following views: flashtimeline, charting, dashboard, and dashboard_live. What am I missing?

1 Solution

Splunk Employee
Splunk Employee

Further research yields this better answer:

To do this in Splunk Enterprise 6.0, use ui-prefs.conf. If you set the value in $SPLUNK_HOME/etc/system/local, all your users should see it as the default setting. For example, if your $SPLUNK_HOME/etc/system/local/ui-prefs.conf file includes:

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

The default time range that all users will see in the search app will be today.

The configuration file reference for ui-prefs.conf is here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

We are updating the Search Manual to include this information.

I am leaving the flashtimeline workaround information here in case it's useful to people for other reasons.

View solution in original post

note:

Configuring the dispatch.earliest_time over the UI like shown in the post above

will set the [general_default] stanza in user-prefs.conf (so not in ui-prefs.conf)

(seen/verified in splunk 7.1.6)

0 Karma

Explorer

you can also make this universal/global by doing an open non-defined bracket like:
make a new app on your DS and drop this in the appname/local/ui-prefs.conf

[]
 dispatch.earliest_time = -61m@m
 dispatch.latest_time = -1m@m
0 Karma

Path Finder

Splunk v6.4.1 has a UI option that sets that.
Settings, Server settings, Search preferences:
Search Preferences in Splunk v6.4.1

Explorer

Keep in mind that the default homepage in Splunk 6.0.2 is actually the launcher app and not the search app, so configuring just the [search] stanza will not change the setting for the homepage.

I was able to get it working in both the search app and the homepage by creating a
$SPLUNK_HOME/etc/system/local/ui-prefs.conf containing these settings:

[search]
dispatch.earliest_time = -24h
dispatch.latest_time = now

[default]
dispatch.earliest_time = -24h
dispatch.latest_time = now

Contributor

For my Splunk 6.2.0 server, specifying just the [default] section is enough to specify the default search time for the Search app. I did not need two separate [search] and [default] sections. In addition, I used @d like @ChristG instead of -24h.

[default]
dispatch.earliest_time = @d
dispatch.latest_time = now
0 Karma

Contributor

And ironically, setting the [default] section does not actually affect the default launcher app for me, but does affect certain other apps.

0 Karma

Engager

Thanks, this is the info I needed to set the default for all users on both the Search and Home/Launcher pages!

0 Karma

Communicator

Thank you! This is a much better solution since everybody uses the launcher searchbox as you mention.

Splunk Employee
Splunk Employee

Further research yields this better answer:

To do this in Splunk Enterprise 6.0, use ui-prefs.conf. If you set the value in $SPLUNK_HOME/etc/system/local, all your users should see it as the default setting. For example, if your $SPLUNK_HOME/etc/system/local/ui-prefs.conf file includes:

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

The default time range that all users will see in the search app will be today.

The configuration file reference for ui-prefs.conf is here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

We are updating the Search Manual to include this information.

I am leaving the flashtimeline workaround information here in case it's useful to people for other reasons.

View solution in original post

Path Finder

What I am wondering is how can I make the time-frame "sticky"? ie: if the user specifies a timeframe from midnight 12/25/2014 to midnight 12/26/2014 then at all times in the future (until I pick something else) the timeframe will be showing me info for christmas 2014.

Right now, it always switches back to the default....whereas I want it always to be what I specified previously.

0 Karma

Contributor

@ChristG -- this only works for the Search app. The vast majority of Splunk users will start off on the default homepage, not the Splunk search app. How could we specify the default search time for all apps? In addition, @mthierbel's solution doesn't work for me either.

0 Karma

Explorer

@stefanlasiewski -- I'm surprised applying the setting under [default] is not working for you. Which directory is your ui-prefs.conf in? Are its settings taking effect for the [search] app screen?

0 Karma

Contributor

I added the [default] parameter to $SPLUNK_HOME/etc/system/local/ui-prefs.conf and restarted Splunk.

0 Karma

Splunk Employee
Splunk Employee

What I know is in the docs (http://docs.splunk.com/Documentation/Splunk/6.0/Search/Selecttimerangestoapply#Change_the_default_se... "the stanza name needs to match the dashboard ID for that view." If that's not working for you, let me know and I will investigate further.

0 Karma

Splunk Employee
Splunk Employee

@ChrisG, can you tell me how you selected the name of the stanza in your above example? The docs only mention the special [default] stanza. Is it simply the name of the view?

0 Karma

Splunk Employee
Splunk Employee

Yes, this change will require a restart.

0 Karma

Path Finder

this did not work for me... does Splunk need to be restarted ?

0 Karma

Splunk Employee
Splunk Employee
0 Karma

Motivator

Excellent, thank you ChrisG!

0 Karma

Splunk Employee
Splunk Employee

For a workaround, you can enable flashtimeline. You can update the <view> tag in flashtimeline.xml from

<?xml version="1.0"?>
<view onunloadCancelJobs="False" autoCancelInterval="100" isDashboard="False" type="redirect" target="search">
<!-- autoCancelInterval is set here to 100 -->
...

to

<?xml version="1.0"?>
<view onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
...

and then use use /app/search/flashtimeline instead of use /app/search/search

0 Karma