Splunk Search

How do change the default search period for an app?

matt
Splunk Employee
Splunk Employee

How can I change the default search period for an app so that my users search the last 15 minutes by default instead of all time?

1 Solution

rithy
Splunk Employee
Splunk Employee

In order to establish the default value for time range, the viewstates.conf file will need to be modified.

The stanza that needs to either be modified or added is below:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

In the example above, the default option is 4 hours. For last 60 minutes, you would change the "Last 4 hours" to "Last 60 minutes".

Now, to make the actual modification, you'll need to do it in 2 separate locations - one for current users and another for new users.

Current users: 1. Navigate to $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf 2. Edit viewstates.conf 3. Modify the "TimeRangePicker_0_1_0.default" to your liking

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save NOTE: No need to restart Splunk for this change to take effect as it is parsed at login time.

New users: 1. Navigate to $SPLUNK_HOME/etc/apps/search/local 2. If viewstates.conf does not exist, create a text file, rename to viewstates.conf and add the following lines:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save file
  2. Restart Splunk -- IMPORTANT!!!!

NOTE: If a user changes the search to "All Time", the default for that specific user will be changed from your default choice to "All Time".

Again, replace "Last 4 hours" with the specific default time range you would like your NEW users to have.

View solution in original post

mslvrstn
Communicator

The instructions in rithy's answer above did not quite work for me on a 4.2.2 system.
I got it to work with these stanzas:

[dashboard_live:_current]
TimeRangePicker_0_1_0.default = Last 4 hours

[flashtimeline:_current]
TimeRangePicker_0_1_0.default = Last 4 hours

in the viewstates.conf files previously mentioned:

  • $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf

or

  • $SPLUNK_HOME/etc/apps/search/local/viewstates.conf

The minor difference being dashboard becomes dashboard_live and the additional flashtimeline entry.

rajiv_kumar
Path Finder

I used to see, some user won't bother what is period selected in search. So, I am looking, it should not change default search period for an app?

In the above solution, it seems, once user change the default period, it will change. Please advise if any one has solution.

0 Karma

rithy
Splunk Employee
Splunk Employee

In order to establish the default value for time range, the viewstates.conf file will need to be modified.

The stanza that needs to either be modified or added is below:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

In the example above, the default option is 4 hours. For last 60 minutes, you would change the "Last 4 hours" to "Last 60 minutes".

Now, to make the actual modification, you'll need to do it in 2 separate locations - one for current users and another for new users.

Current users: 1. Navigate to $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf 2. Edit viewstates.conf 3. Modify the "TimeRangePicker_0_1_0.default" to your liking

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save NOTE: No need to restart Splunk for this change to take effect as it is parsed at login time.

New users: 1. Navigate to $SPLUNK_HOME/etc/apps/search/local 2. If viewstates.conf does not exist, create a text file, rename to viewstates.conf and add the following lines:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save file
  2. Restart Splunk -- IMPORTANT!!!!

NOTE: If a user changes the search to "All Time", the default for that specific user will be changed from your default choice to "All Time".

Again, replace "Last 4 hours" with the specific default time range you would like your NEW users to have.

piebob
Splunk Employee
Splunk Employee

you can specify a custom default search period in a copy of times.conf for your app. if you're using saved searches for your app, you could also specify the time range in the search, as described here: http://docs.splunk.com/Documentation/Splunk/4.2.2/User/ChangeTheTimeRangeOfYourSearch

Glenn
Builder

This would be useful, my users often set it to all time, which then stays as the default until they change it. Then their searches take ages and slow down the whole system. I know I could customise their timerangepicker but resetting their default selection would be useful also.

matt
Splunk Employee
Splunk Employee

sure but how do ensure that is the selection that they will always start with?

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...