Solved: All searches default to "All time", even if option...

eirik_talberg · ‎01-07-2015

We're currently running Splunk Enterprise 6.2 in one of our environments and whenever any search is done, the time range picker defaults to "All time". This is very bad for us, and we would preferably disable it all together, or at least be able to select something more reasonable as the default option.

Things that are unsuccessful:
- Setting the "preset" value in a Django template tag (described here: http://docs.splunk.com/Documentation/WebFramework)
- Creating an app-specific ui-configuration (in times.conf) with the "all time"-option disabled
- Disabling the global "all time"-option system-wide

Despite all this, it still defaults to "all time". I read somewhere on here earlier today that this is a known bug, but I can't seem to find the page again. Does anyone know of any workarounds for this?

eirik_talberg · ‎04-21-2015

This was caused by a bug in Splunk 6.2.0, and is fixed in 6.2.1.

View solution in original post

eirik_talberg · ‎04-21-2015

This was caused by a bug in Splunk 6.2.0, and is fixed in 6.2.1.

eirik_talberg · ‎04-21-2015

This was caused by a bug in Splunk 6.2.0, and is fixed in 6.2.1.

Raghav2384 · ‎01-07-2015

Can be selected in ui-prefs.conf

Splunkhome/etc/system/local/ui-prefs.conf

Add a stanza
[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

Save restart splunk. Hope this helps

Thanks,
Raghav

eirik_talberg · ‎01-07-2015

Does this set a permanent limit, or just the default value for the search?

Is the stanza the app name?

MuS · ‎01-07-2015

no, this sets the default time range for the view named search see the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Ui-prefsconf for details

eirik_talberg · ‎01-07-2015

Unfortunately, I'm not dealing with XML views, but rather a Django template in the Web Framework. The search control is handled like this:

 {% timerange id="timerange" 
            managerid="base_search"
            preset="Last 24 hours" 
            earliest_time="$earliestval$"|token_safe 
            latest_time="$latestval$"|token_safe  
        %}

From the doc:

[<stanza name>]
* Stanza name is the name of the xml view file

Unless I've missed something, that is.

MuS · ‎01-07-2015

correction of small typo, it should be [search] not [Search]

Raghav2384 · ‎01-07-2015

Thanks MuS 🙂 typed it from my phone.

All searches default to "All time", even if option is disabled

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?