Splunk Enterprise Security

Splunk ES Incident Review Dashboard Default Search Time Settings

tezkpk
Engager

I am a Splunk ES (enterprise security) user, looking to change the default search time setting for all users on the Incident Review dashboard. By default, it is set to search "All Time." I would like to change it to search the last 24 hours. I have tried editing the XML of the dashboard and looked into the JavaScript, which powers the dashboard, but nothing that I have tried changes the default search time for users.

It appears that the time is sent into the url as parameters (earliest=0&latest= which searches All Time). Has anyone seen the settings, whether it be through the GUI, or through the CLI, on how to change the default search time setting for the Incident Review dashboard?

0 Karma
1 Solution

LukeMurphey
Champion

This was fixed in newer versions of ES. ES 4.5.0, 4.2.2, 4.1.3, and 4.0.5 do not default to an all-time search.

View solution in original post

LukeMurphey
Champion

This was fixed in newer versions of ES. ES 4.5.0, 4.2.2, 4.1.3, and 4.0.5 do not default to an all-time search.

Get Updates on the Splunk Community!

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Index This | What is the next number in the series? 7,645 5,764 4,576…

February 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...