Splunk Search
Highlighted

Generic Host search only uses "all time"

Communicator

When I choose a host from the Host list it automatically starts to search......but for "all time". I don't want to search for "all time". What xml file do you change to modify the initial search from "all time" to say...60 minutes or 15 minutes?

Tags (1)
Highlighted

Re: Generic Host search only uses "all time"

Communicator

Not sure if this is the best way, but I've done this for the search app by editing $SPLUNK_HOME/etc/apps/search/default/data/ui/views/flashtimeline.xml and changed the "selected" parameter to something other than "All time".

Highlighted

Re: Generic Host search only uses "all time"

Communicator

I tried a multiple of different "time" changes:
'in the last two hours'
'two hours'
'in the last 15 minutes'

all to no avail. What timeline specifications did you use?
Thanks.

0 Karma