Deployment Architecture

On a Splunk Enterprise deployer, how do I change the default time selection on a search head cluster?

halbeisendv
Path Finder

I have a Splunk instance that I'm using as a deployer called halfiron. I created user-prefs.conf in this directory. (/opt/etc/shcluster/apps/halfiron/user-prefs.conf) The contents of user-prefs.conf is:

[general]
default_earliest_time = @d
default_latest_time = now

On my deployer, I execute: splunk apply shcluster-bundle -target https://xxx.xxx.xxx.xxx:8089.

On one of my search head members, I review configuration.

splunk cmd btool user-prefs list --debug

/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf [general]
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf datasets:showInstallDialog = 1
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_assistant = compact
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_auto_format = 0
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_line_numbers = 0
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_syntax_highlighting = light
/opt/splunk/etc/apps/halfiron/default/user-prefs.conf  [general_default]
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf appOrder = search
/opt/splunk/etc/apps/halfiron/default/user-prefs.conf  default_earliest_time = @d
/opt/splunk/etc/apps/halfiron/default/user-prefs.conf  default_latest_time = now
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf default_namespace = $default
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf hideInstrumentationOptInModal = 0
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf showWhatsNew = 1

My default time selection does not change from 24 hours to Today.

I tried changing [general] to [search], [general_default] and none worked. I tried these same settings in ui-prefs.conf. Can't seem to get the default time selection to be "Today."

0 Karma

jaxjohnny2000
Builder

pushing a bundle does not work for us.  making a manual modification to the /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf does work.  and yes a user change will override the settings. 

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Parameters you used dispatch_earliest_time and dispatch_latest_time however correct parameters are dispatch.earliest_time and dispatch.latest_time as per answer given by me.

0 Karma

halbeisendv
Path Finder

I made certain to copy/paste your exact stanza.

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

And it didn’t worked? If not can you please paste output again of btool after changes you made in ui-prefs.conf . Also which version of Splunk are you running?

0 Karma

halbeisendv
Path Finder

btool finds the information just fine over on the search head. Running 6.6.4

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Silly question but have you tried in different browser, maybe try in Incognito mode ?

0 Karma

halbeisendv
Path Finder

Not a silly question -- yes, already tried a different browser.

0 Karma

sudosplunk
Motivator

If you're using latest version of splunk (6.6.x & 7.x.x), there is an option to set this from web under "Settings >> Server settings (under system) >> Search preferences".

alt text

0 Karma

halbeisendv
Path Finder

The problem we encountered is with a search head cluster. This solution is for a stand-alone search head.

0 Karma

sudosplunk
Motivator

Ah. I see. Pushing configuration bundle from deployer will end up in default directory even though they're present in local on deployer.

Try below and see if it works:

Create a local directory inside user-prefs app on each SH manually.
Make your changes there in order for splunk to overwrite default.earliest_time = -24h@h setting
Perform debug refresh since this is a search-time change - https://yoursplunkVIP/en-US/debug/refresh

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please configure ui-prefs.conf in your app on your Deployer ( $SPLUNK_HOME/etc/shcluster/apps/<YOUR_APP>/local/ui-prefs.conf ) with below configuration

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

Then push the bundle from Deployer to Search Heads.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...