Solved: Splunk ES Incident Review Dashboard Default Search...

tezkpk · ‎10-19-2016

I am a Splunk ES (enterprise security) user, looking to change the default search time setting for all users on the Incident Review dashboard. By default, it is set to search "All Time." I would like to change it to search the last 24 hours. I have tried editing the XML of the dashboard and looked into the JavaScript, which powers the dashboard, but nothing that I have tried changes the default search time for users.

It appears that the time is sent into the url as parameters (earliest=0&latest= which searches All Time). Has anyone seen the settings, whether it be through the GUI, or through the CLI, on how to change the default search time setting for the Incident Review dashboard?

LukeMurphey · ‎10-24-2016

This was fixed in newer versions of ES. ES 4.5.0, 4.2.2, 4.1.3, and 4.0.5 do not default to an all-time search.

View solution in original post

LukeMurphey · ‎10-24-2016

This was fixed in newer versions of ES. ES 4.5.0, 4.2.2, 4.1.3, and 4.0.5 do not default to an all-time search.

Splunk ES Incident Review Dashboard Default Search Time Settings

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...