- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- All searches default to "All time", even if option...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're currently running Splunk Enterprise 6.2 in one of our environments and whenever any search is done, the time range picker defaults to "All time". This is very bad for us, and we would preferably disable it all together, or at least be able to select something more reasonable as the default option.
Things that are unsuccessful:
- Setting the "preset" value in a Django template tag (described here: http://docs.splunk.com/Documentation/WebFramework)
- Creating an app-specific ui-configuration (in times.conf) with the "all time"-option disabled
- Disabling the global "all time"-option system-wide
Despite all this, it still defaults to "all time". I read somewhere on here earlier today that this is a known bug, but I can't seem to find the page again. Does anyone know of any workarounds for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was caused by a bug in Splunk 6.2.0, and is fixed in 6.2.1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was caused by a bug in Splunk 6.2.0, and is fixed in 6.2.1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can be selected in ui-prefs.conf
Splunkhome/etc/system/local/ui-prefs.conf
Add a stanza
[search]
dispatch.earliest_time = @d
dispatch.latest_time = now
Save restart splunk. Hope this helps
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this set a permanent limit, or just the default value for the search?
Is the stanza the app name?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no, this sets the default time range for the view named search see the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Ui-prefsconf for details
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, I'm not dealing with XML views, but rather a Django template in the Web Framework. The search control is handled like this:
{% timerange id="timerange"
managerid="base_search"
preset="Last 24 hours"
earliest_time="$earliestval$"|token_safe
latest_time="$latestval$"|token_safe
%}
From the doc:
[<stanza name>]
* Stanza name is the name of the xml view file
Unless I've missed something, that is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
correction of small typo, it should be [search] not [Search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks MuS 🙂 typed it from my phone.
Archived Metrics Now Available for APAC and EMEA realms
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!
