Getting Data In

Why is my ui-prefs.conf change to make the default search time range 15 minutes in all apps not being respected?

daniel333
Builder

Goal - Change the default time of search to 15 minutes in all apps.

I created a ui-prefs.conf in the local of the search app, but this didn't work. I also tried in the local of the system and didn't work. I believe this should set my default time in search to 15 minutes, but with no luck at all.

[search]
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
Tags (2)
0 Karma

pellegrini
Path Finder

This config will not take effect if there is cached user config overriding it, like @ltrand says. 

Wipe out this directory for each user will work but it removes user search history etc. Also, after removing directory or config, a restart is needed. A more controlled way would be only to remove the affected stanza.

For example user Bart have used the Search app but not the MyOwnApp. Then these config changes wiil take effect for app MyOwnApp but not for the Search app. To have this change take effect for Search app as well, do this:

-bash-4.2$ pwd
/opt/splunk/etc/users/bart/search
-bash-4.2$ ll
total 0
drwx------ 2 splunk splunk 52 Nov 24 08:08 history
drwx------ 2 splunk splunk 26 Sep 24 22:03 local
drwx------ 2 splunk splunk 23 Sep 24 22:03 metadata
-bash-4.2$ ll local/
total 4
-rw------- 1 splunk splunk 9 Sep 24 22:03 ui-prefs.conf
-bash-4.2$ cat local/ui-prefs.conf
[search]
-bash-4.2$

 Remove the search stanza header and restart splunk.

0 Karma

lakromani
Builder

PS its better to use -15m instead of -15m@m

0 Karma

ChrisG
Splunk Employee
Splunk Employee

There is a long discussion of a similar question already posted to Splunk Answers.

That question is about making the change persistent in the search app.

However, this specific answer to the question seems to suggest that creating dispatch.earliest and dispatch.latest settings in $SPLUNK_HOME/etc/system/local/ui-prefs.conf, using a stanza for each app, might work.

0 Karma

ltrand
Contributor

Have you checked to see if the user level preferences are overriding this? Every time I need to change this I have to wipe out the user/app/local/ui-prefs.conf for it to work.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...