Dashboards & Visualizations
Highlighted

How to set the default search time in Splunk 6?

Motivator

How can I set the default search time in Splunk 6? I'd prefer for my users to start their searches on the last 7 days instead of all time, but I can't find where to set it at. I tried changing the value for TimeRangePicker in the flashtimeline view to "Last 7 days" then restarting Splunk, but the nothing changed in my view. Below is the change I made:

< module name="TimeRangePicker">
    < param name="selected">Last 7 days< /param>

I made this change to the following views: flashtimeline, charting, dashboard, and dashboard_live. What am I missing?

Highlighted

Re: How to set the default search time in Splunk 6?

Path Finder

+1 this problem.

I tried: "flashtimeline" / "dashboard_live" / "charting" and manually restarted the Splunk service. Still Nothing..... Any help would be appreciated

0 Karma
Highlighted

Re: How to set the default search time in Splunk 6?

Splunk Employee
Splunk Employee

For a workaround, you can enable flashtimeline. You can update the <view> tag in flashtimeline.xml from

<?xml version="1.0"?>
<view onunloadCancelJobs="False" autoCancelInterval="100" isDashboard="False" type="redirect" target="search">
<!-- autoCancelInterval is set here to 100 -->
...

to

<?xml version="1.0"?>
<view onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
...

and then use use /app/search/flashtimeline instead of use /app/search/search

0 Karma
Highlighted

Re: How to set the default search time in Splunk 6?

Motivator

I have the work-around in place now and will be on the lookout for the future release. Thank you for the very detailed answers!!

Highlighted

Re: How to set the default search time in Splunk 6?

Splunk Employee
Splunk Employee

Further research yields this better answer:

To do this in Splunk Enterprise 6.0, use ui-prefs.conf. If you set the value in $SPLUNK_HOME/etc/system/local, all your users should see it as the default setting. For example, if your $SPLUNK_HOME/etc/system/local/ui-prefs.conf file includes:

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

The default time range that all users will see in the search app will be today.

The configuration file reference for ui-prefs.conf is here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

We are updating the Search Manual to include this information.

I am leaving the flashtimeline workaround information here in case it's useful to people for other reasons.

View solution in original post

Highlighted

Re: How to set the default search time in Splunk 6?

Motivator

Excellent, thank you ChrisG!

0 Karma
Highlighted

Re: How to set the default search time in Splunk 6?

Splunk Employee
Splunk Employee
0 Karma
Highlighted

Re: How to set the default search time in Splunk 6?

Path Finder

this did not work for me... does Splunk need to be restarted ?

0 Karma
Highlighted

Re: How to set the default search time in Splunk 6?

Splunk Employee
Splunk Employee

Yes, this change will require a restart.

0 Karma
Highlighted

Re: How to set the default search time in Splunk 6?

Splunk Employee
Splunk Employee

@ChrisG, can you tell me how you selected the name of the stanza in your above example? The docs only mention the special [default] stanza. Is it simply the name of the view?

0 Karma