Splunk Search

All searches default to "All time", even if option is disabled

eirik_talberg
Explorer

We're currently running Splunk Enterprise 6.2 in one of our environments and whenever any search is done, the time range picker defaults to "All time". This is very bad for us, and we would preferably disable it all together, or at least be able to select something more reasonable as the default option.

Things that are unsuccessful:
- Setting the "preset" value in a Django template tag (described here: http://docs.splunk.com/Documentation/WebFramework)
- Creating an app-specific ui-configuration (in times.conf) with the "all time"-option disabled
- Disabling the global "all time"-option system-wide

Despite all this, it still defaults to "all time". I read somewhere on here earlier today that this is a known bug, but I can't seem to find the page again. Does anyone know of any workarounds for this?

Tags (1)
0 Karma
1 Solution

eirik_talberg
Explorer

This was caused by a bug in Splunk 6.2.0, and is fixed in 6.2.1.

View solution in original post

0 Karma

eirik_talberg
Explorer

This was caused by a bug in Splunk 6.2.0, and is fixed in 6.2.1.

0 Karma

eirik_talberg
Explorer

This was caused by a bug in Splunk 6.2.0, and is fixed in 6.2.1.

0 Karma

Raghav2384
Motivator

Can be selected in ui-prefs.conf

Splunkhome/etc/system/local/ui-prefs.conf

Add a stanza
[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

Save restart splunk. Hope this helps

Thanks,
Raghav

eirik_talberg
Explorer

Does this set a permanent limit, or just the default value for the search?

Is the stanza the app name?

0 Karma

MuS
Legend

no, this sets the default time range for the view named search see the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Ui-prefsconf for details

0 Karma

eirik_talberg
Explorer

Unfortunately, I'm not dealing with XML views, but rather a Django template in the Web Framework. The search control is handled like this:

 {% timerange id="timerange" 
            managerid="base_search"
            preset="Last 24 hours" 
            earliest_time="$earliestval$"|token_safe 
            latest_time="$latestval$"|token_safe  
        %}

From the doc:

[<stanza name>]
* Stanza name is the name of the xml view file

Unless I've missed something, that is.

0 Karma

MuS
Legend

correction of small typo, it should be [search] not [Search]

0 Karma

Raghav2384
Motivator

Thanks MuS 🙂 typed it from my phone.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...