Deployment Architecture

On a Splunk Enterprise deployer, how do I change the default time selection on a search head cluster?

halbeisendv
Path Finder

I have a Splunk instance that I'm using as a deployer called halfiron. I created user-prefs.conf in this directory. (/opt/etc/shcluster/apps/halfiron/user-prefs.conf) The contents of user-prefs.conf is:

[general]
default_earliest_time = @d
default_latest_time = now

On my deployer, I execute: splunk apply shcluster-bundle -target https://xxx.xxx.xxx.xxx:8089.

On one of my search head members, I review configuration.

splunk cmd btool user-prefs list --debug

/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf [general]
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf datasets:showInstallDialog = 1
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_assistant = compact
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_auto_format = 0
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_line_numbers = 0
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_syntax_highlighting = light
/opt/splunk/etc/apps/halfiron/default/user-prefs.conf  [general_default]
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf appOrder = search
/opt/splunk/etc/apps/halfiron/default/user-prefs.conf  default_earliest_time = @d
/opt/splunk/etc/apps/halfiron/default/user-prefs.conf  default_latest_time = now
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf default_namespace = $default
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf hideInstrumentationOptInModal = 0
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf showWhatsNew = 1

My default time selection does not change from 24 hours to Today.

I tried changing [general] to [search], [general_default] and none worked. I tried these same settings in ui-prefs.conf. Can't seem to get the default time selection to be "Today."

0 Karma

jaxjohnny2000
Builder

pushing a bundle does not work for us.  making a manual modification to the /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf does work.  and yes a user change will override the settings. 

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Parameters you used dispatch_earliest_time and dispatch_latest_time however correct parameters are dispatch.earliest_time and dispatch.latest_time as per answer given by me.

0 Karma

halbeisendv
Path Finder

I made certain to copy/paste your exact stanza.

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

And it didn’t worked? If not can you please paste output again of btool after changes you made in ui-prefs.conf . Also which version of Splunk are you running?

0 Karma

halbeisendv
Path Finder

btool finds the information just fine over on the search head. Running 6.6.4

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Silly question but have you tried in different browser, maybe try in Incognito mode ?

0 Karma

halbeisendv
Path Finder

Not a silly question -- yes, already tried a different browser.

0 Karma

sudosplunk
Motivator

If you're using latest version of splunk (6.6.x & 7.x.x), there is an option to set this from web under "Settings >> Server settings (under system) >> Search preferences".

alt text

0 Karma

halbeisendv
Path Finder

The problem we encountered is with a search head cluster. This solution is for a stand-alone search head.

0 Karma

sudosplunk
Motivator

Ah. I see. Pushing configuration bundle from deployer will end up in default directory even though they're present in local on deployer.

Try below and see if it works:

Create a local directory inside user-prefs app on each SH manually.
Make your changes there in order for splunk to overwrite default.earliest_time = -24h@h setting
Perform debug refresh since this is a search-time change - https://yoursplunkVIP/en-US/debug/refresh

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please configure ui-prefs.conf in your app on your Deployer ( $SPLUNK_HOME/etc/shcluster/apps/<YOUR_APP>/local/ui-prefs.conf ) with below configuration

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

Then push the bundle from Deployer to Search Heads.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...