Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my ui-prefs.conf change to make the default search time range 15 minutes in all apps not being respected?

daniel333
Builder
‎06-18-2015 09:13 AM

Goal - Change the default time of search to 15 minutes in all apps.

I created a ui-prefs.conf in the local of the search app, but this didn't work. I also tried in the local of the system and didn't work. I believe this should set my default time in search to 15 minutes, but with no luck at all. 

[search]
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
Tags (2)
0 Karma
Reply

pellegrini
Path Finder
‎12-01-2020 03:16 AM

This config will not take effect if there is cached user config overriding it, like @ltrand says. 

Wipe out this directory for each user will work but it removes user search history etc. Also, after removing directory or config, a restart is needed. A more controlled way would be only to remove the affected stanza.

For example user Bart have used the Search app but not the MyOwnApp. Then these config changes wiil take effect for app MyOwnApp but not for the Search app. To have this change take effect for Search app as well, do this:

-bash-4.2$ pwd
/opt/splunk/etc/users/bart/search
-bash-4.2$ ll
total 0
drwx------ 2 splunk splunk 52 Nov 24 08:08 history
drwx------ 2 splunk splunk 26 Sep 24 22:03 local
drwx------ 2 splunk splunk 23 Sep 24 22:03 metadata
-bash-4.2$ ll local/
total 4
-rw------- 1 splunk splunk 9 Sep 24 22:03 ui-prefs.conf
-bash-4.2$ cat local/ui-prefs.conf
[search]
-bash-4.2$

 Remove the search stanza header and restart splunk.

0 Karma
Reply

lakromani
Builder
‎10-28-2016 12:10 AM

PS its better to use -15m instead of -15m@m

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎08-28-2015 02:55 PM

There is a long discussion of a similar question already posted to Splunk Answers.

That question is about making the change persistent in the search app.

However, this specific answer to the question seems to suggest that creating dispatch.earliest and dispatch.latest settings in $SPLUNK_HOME/etc/system/local/ui-prefs.conf, using a stanza for each app, might work.

0 Karma
Reply

ltrand
Contributor
‎08-28-2015 12:50 PM

Have you checked to see if the user level preferences are overriding this? Every time I need to change this I have to wipe out the user/app/local/ui-prefs.conf for it to work.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...