Deployment Architecture

Why are custom settings in ui-prefs.conf not being respected?

mdsnmss
SplunkTrust
SplunkTrust

I am trying to change the default time range when opening the search app. I have found several answers in other questions and have updated my ui-prefs.conf and deployed the shcluster bundle. This should initiate a restart if needed but initiated a rolling-restart in order to be sure. I ran "splunk cmd btool ui-prefs list --debug" to view the configurations from one of the search heads to confirm the settings. Here is a copy of the btool output:

[default]
countPerPage =
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype"]
display.events.list.drilldown = full
display.events.list.wrap = 1
display.events.maxLines = 5
display.events.raw.drilldown = full
display.events.rowNumbers = 0
display.events.table.drilldown = 1
display.events.table.wrap = 1
display.events.type = list
display.general.enablePreview = 1
display.page.home.showGettingStarted = 1
display.page.search.mode = smart
display.page.search.patterns.sensitivity = 0.8
display.page.search.searchHistoryTimeFilter = 0
display.page.search.showFields = 1
display.page.search.timeline.format = compact
display.page.search.timeline.scale = linear
display.prefs.aclFilter = none
display.prefs.appFilter = none
display.prefs.autoOpenSearchAssistant = 1
display.prefs.customSampleRatio = 1000
display.prefs.enableMetaData = 1
display.prefs.events.count = 20
display.prefs.fieldCoverage = .01
display.prefs.listMode = tiles
display.prefs.livetail = 0
display.prefs.searchContext = search
display.prefs.showDataSummary = 1
display.prefs.showSPL = 0
display.prefs.statistics.count = 20
display.prefs.timeline.height = 120px
display.prefs.timeline.minimalMode = 1
display.prefs.timeline.minimized = 0
display.statistics.drilldown = cell
display.statistics.rowNumbers = 0
display.statistics.wrap = 1
display.visualizations.chartHeight = 300
display.visualizations.charting.chart = column
display.visualizations.charting.chart.style = shiny
display.visualizations.charting.legend.labelStyle.overflowMode = ellipsisMiddle
display.visualizations.custom.type =
display.visualizations.type = charting
[job_manager]
countPerPage = 10
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype"]
display.events.list.drilldown = full
display.events.list.wrap = 1
display.events.maxLines = 5
display.events.raw.drilldown = full
display.events.rowNumbers = 0
display.events.table.drilldown = 1
display.events.table.wrap = 1
display.events.type = list
display.general.enablePreview = 1
display.page.home.showGettingStarted = 1
display.page.search.mode = smart
display.page.search.patterns.sensitivity = 0.8
display.page.search.searchHistoryTimeFilter = 0
display.page.search.showFields = 1
display.page.search.timeline.format = compact
display.page.search.timeline.scale = linear
display.prefs.aclFilter = none
display.prefs.appFilter = none
display.prefs.autoOpenSearchAssistant = 1
display.prefs.customSampleRatio = 1000
display.prefs.enableMetaData = 1
display.prefs.events.count = 20
display.prefs.fieldCoverage = .01
display.prefs.listMode = tiles
display.prefs.livetail = 0
display.prefs.searchContext = search
display.prefs.showDataSummary = 1
display.prefs.showSPL = 0
display.prefs.statistics.count = 20
display.prefs.timeline.height = 120px
display.prefs.timeline.minimalMode = 1
display.prefs.timeline.minimized = 0
display.statistics.drilldown = cell
display.statistics.rowNumbers = 0
display.statistics.wrap = 1
display.visualizations.chartHeight = 300
display.visualizations.charting.chart = column
display.visualizations.charting.chart.style = shiny
display.visualizations.charting.legend.labelStyle.overflowMode = ellipsisMiddle
display.visualizations.custom.type =
display.visualizations.type = charting
[search]
countPerPage =
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype"]
display.events.list.drilldown = full
display.events.list.wrap = 1
display.events.maxLines = 5
display.events.raw.drilldown = full
display.events.rowNumbers = 0
display.events.table.drilldown = 1
display.events.table.wrap = 1
display.events.type = list
display.general.enablePreview = 1
display.page.home.showGettingStarted = 1
display.page.search.mode = smart
display.page.search.patterns.sensitivity = 0.8
display.page.search.searchHistoryTimeFilter = 0
display.page.search.showFields = 1
display.page.search.timeline.format = compact
display.page.search.timeline.scale = linear
display.prefs.aclFilter = none
display.prefs.appFilter = none
display.prefs.autoOpenSearchAssistant = 1
display.prefs.customSampleRatio = 1000
display.prefs.enableMetaData = 1
display.prefs.events.count = 20
display.prefs.fieldCoverage = .01
display.prefs.listMode = tiles
display.prefs.livetail = 0
display.prefs.searchContext = search
display.prefs.showDataSummary = 1
display.prefs.showSPL = 0
display.prefs.statistics.count = 20
display.prefs.timeline.height = 120px
display.prefs.timeline.minimalMode = 1
display.prefs.timeline.minimized = 0
display.statistics.drilldown = cell
display.statistics.rowNumbers = 0
display.statistics.wrap = 1
display.visualizations.chartHeight = 300
display.visualizations.charting.chart = column
display.visualizations.charting.chart.style = shiny
display.visualizations.charting.legend.labelStyle.overflowMode = ellipsisMiddle
display.visualizations.custom.type =
display.visualizations.type = charting

The only settings that fall out of /etc/system/default/ui-prefs.conf are the dispatch.earliest_time and dispatch.latest_time settings. We are running a search head cluster that has been recently upgraded to 6.5.2. When opening up the search app the time still defaults to "All Time". Is there something I am missing?

0 Karma
1 Solution

hortonew
Builder

On my search deployer, I made an app for user prefs. Seems to be working.

local/ui-prefs.conf
[search]
dispatch.earliest_time = -5m
dispatch.latest_time = now

metadata/local.meta
[]
access = read : [ * ], write : [ admin ]
export = system

View solution in original post

hortonew
Builder

On my search deployer, I made an app for user prefs. Seems to be working.

local/ui-prefs.conf
[search]
dispatch.earliest_time = -5m
dispatch.latest_time = now

metadata/local.meta
[]
access = read : [ * ], write : [ admin ]
export = system

mdsnmss
SplunkTrust
SplunkTrust

It looks like I was missing the .meta bit. I've encountered that before where I had missed export=system and a setting didn't work. Something I'll be more conscious in looking for now. Thanks for the help!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...