Splunk Enterprise Security

Splunk Enterprise Security: How to change the default time range inside the app?

mgrosholz
Path Finder

I know how to change the default time range in the search head but it only applies to the Search & Reporting app.

Does anyone know how to change the default time within the Splunk Enterprise Security app?
I cannot find any documentation on it.

0 Karma
1 Solution

mgrosholz
Path Finder

I reached out to Splunk Support and got the problem resolved. It was fairly simple. To fix via the UI follow the steps below.

  1. Navigate to Settings -> Service Settings -> Search Preferences
  2. Change Default search time range to "Last 4 hours" and save.
  3. Navigate to ES App -> click on search -> select Search

View solution in original post

mgrosholz
Path Finder

I reached out to Splunk Support and got the problem resolved. It was fairly simple. To fix via the UI follow the steps below.

  1. Navigate to Settings -> Service Settings -> Search Preferences
  2. Change Default search time range to "Last 4 hours" and save.
  3. Navigate to ES App -> click on search -> select Search

skalliger
SplunkTrust
SplunkTrust

Good to know. Documented this for our future ES setup as well. Thanks!

0 Karma

skalliger
SplunkTrust
SplunkTrust

What do you mean by saying "but it only applies to the Search & Reporting app"? Did you change it in the config itself? If so, in which config did you change it?
Did you try to insert the following into $SPLUNK_HOME/etc/system/local/ui-prefs.conf? Becaue SplunkEnterpriseSecuritySuite does not contain a ui-prefs.conf I would suggest editing it in the mentioned location.

Insert a default stanza there, like this:

[default]
dispatch.earliest_time = whenever1
dispatch.latest_time = whenever2

For further information, see if this helps: https://answers.splunk.com/answers/106136/how-to-set-the-default-search-time-in-splunk-6.html

(ES SH is not running right now, otherwise I would have tested it myself.)

Skalli

0 Karma

mgrosholz
Path Finder

I didn't think ES had its own .conf file. I did change the default time in the location you mentioned and followed the instructions and formatting stated in the documentation.

To clarify, the search head with the ES app was changed. Within the same search head, the "Search & Reporting app does reflect the changes made. However, when you go into the ES app, and click on the "Search" tab, then the "Search" option, the setting is still set to "All Time".

0 Karma

skalliger
SplunkTrust
SplunkTrust

Ah that's unfortunate it didn't have any effect on the ES app.
I would try to create a ui-prefs.conf file in the local directory in the ES app and insert the stanza there. Maybe that helps. I would try that only on a dev/testing environment, of course. If that doesn't help either, maybe try contacting the Splunk support.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...