Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my ui-prefs.conf change to make the default search time range 15 minutes in all apps not being respected?

daniel333
Builder
‎06-18-2015 09:13 AM

Goal - Change the default time of search to 15 minutes in all apps.

I created a ui-prefs.conf in the local of the search app, but this didn't work. I also tried in the local of the system and didn't work. I believe this should set my default time in search to 15 minutes, but with no luck at all. 

[search]
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
Tags (2)
0 Karma
Reply

pellegrini
Path Finder
‎12-01-2020 03:16 AM

This config will not take effect if there is cached user config overriding it, like @ltrand says. 

Wipe out this directory for each user will work but it removes user search history etc. Also, after removing directory or config, a restart is needed. A more controlled way would be only to remove the affected stanza.

For example user Bart have used the Search app but not the MyOwnApp. Then these config changes wiil take effect for app MyOwnApp but not for the Search app. To have this change take effect for Search app as well, do this:

-bash-4.2$ pwd
/opt/splunk/etc/users/bart/search
-bash-4.2$ ll
total 0
drwx------ 2 splunk splunk 52 Nov 24 08:08 history
drwx------ 2 splunk splunk 26 Sep 24 22:03 local
drwx------ 2 splunk splunk 23 Sep 24 22:03 metadata
-bash-4.2$ ll local/
total 4
-rw------- 1 splunk splunk 9 Sep 24 22:03 ui-prefs.conf
-bash-4.2$ cat local/ui-prefs.conf
[search]
-bash-4.2$

 Remove the search stanza header and restart splunk.

0 Karma
Reply

lakromani
Builder
‎10-28-2016 12:10 AM

PS its better to use -15m instead of -15m@m

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎08-28-2015 02:55 PM

There is a long discussion of a similar question already posted to Splunk Answers.

That question is about making the change persistent in the search app.

However, this specific answer to the question seems to suggest that creating dispatch.earliest and dispatch.latest settings in $SPLUNK_HOME/etc/system/local/ui-prefs.conf, using a stanza for each app, might work.

0 Karma
Reply

ltrand
Contributor
‎08-28-2015 12:50 PM

Have you checked to see if the user level preferences are overriding this? Every time I need to change this I have to wipe out the user/app/local/ui-prefs.conf for it to work.

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...