Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do change the default search period for an app?

matt
Splunk Employee
Splunk Employee
‎01-26-2010 02:14 AM

How can I change the default search period for an app so that my users search the last 15 minutes by default instead of all time?

Reply
1 Solution
Solved! Jump to solution
Solution

rithy
Splunk Employee
Splunk Employee
‎05-04-2010 07:30 PM

In order to establish the default value for time range, the viewstates.conf file will need to be modified.

The stanza that needs to either be modified or added is below:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

In the example above, the default option is 4 hours. For last 60 minutes, you would change the "Last 4 hours" to "Last 60 minutes".

Now, to make the actual modification, you'll need to do it in 2 separate locations - one for current users and another for new users.

Current users: 1. Navigate to $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf 2. Edit viewstates.conf 3. Modify the "TimeRangePicker_0_1_0.default" to your liking

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save NOTE: No need to restart Splunk for this change to take effect as it is parsed at login time.

New users: 1. Navigate to $SPLUNK_HOME/etc/apps/search/local 2. If viewstates.conf does not exist, create a text file, rename to viewstates.conf and add the following lines:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save file
  2. Restart Splunk -- IMPORTANT!!!!

NOTE: If a user changes the search to "All Time", the default for that specific user will be changed from your default choice to "All Time".

Again, replace "Last 4 hours" with the specific default time range you would like your NEW users to have.

View solution in original post

Reply
Solved! Jump to solution

mslvrstn
Communicator
‎08-12-2011 08:27 AM

The instructions in rithy's answer above did not quite work for me on a 4.2.2 system.
I got it to work with these stanzas:

[dashboard_live:_current]
TimeRangePicker_0_1_0.default = Last 4 hours

[flashtimeline:_current]
TimeRangePicker_0_1_0.default = Last 4 hours

in the viewstates.conf files previously mentioned:

  • $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf

or

  • $SPLUNK_HOME/etc/apps/search/local/viewstates.conf

The minor difference being dashboard becomes dashboard_live and the additional flashtimeline entry.

Reply
Solved! Jump to solution

rajiv_kumar
Path Finder
‎01-20-2011 10:05 PM

I used to see, some user won't bother what is period selected in search. So, I am looking, it should not change default search period for an app?

In the above solution, it seems, once user change the default period, it will change. Please advise if any one has solution.

0 Karma
Reply
Solved! Jump to solution
Solution

rithy
Splunk Employee
Splunk Employee
‎05-04-2010 07:30 PM

In order to establish the default value for time range, the viewstates.conf file will need to be modified.

The stanza that needs to either be modified or added is below:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

In the example above, the default option is 4 hours. For last 60 minutes, you would change the "Last 4 hours" to "Last 60 minutes".

Now, to make the actual modification, you'll need to do it in 2 separate locations - one for current users and another for new users.

Current users: 1. Navigate to $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf 2. Edit viewstates.conf 3. Modify the "TimeRangePicker_0_1_0.default" to your liking

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save NOTE: No need to restart Splunk for this change to take effect as it is parsed at login time.

New users: 1. Navigate to $SPLUNK_HOME/etc/apps/search/local 2. If viewstates.conf does not exist, create a text file, rename to viewstates.conf and add the following lines:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save file
  2. Restart Splunk -- IMPORTANT!!!!

NOTE: If a user changes the search to "All Time", the default for that specific user will be changed from your default choice to "All Time".

Again, replace "Last 4 hours" with the specific default time range you would like your NEW users to have.

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎01-27-2010 11:58 PM

you can specify a custom default search period in a copy of times.conf for your app. if you're using saved searches for your app, you could also specify the time range in the search, as described here: http://docs.splunk.com/Documentation/Splunk/4.2.2/User/ChangeTheTimeRangeOfYourSearch

Reply
Solved! Jump to solution

Glenn
Builder
‎03-25-2010 09:36 AM

This would be useful, my users often set it to all time, which then stays as the default until they change it. Then their searches take ages and slow down the whole system. I know I could customise their timerangepicker but resetting their default selection would be useful also.

Reply
Solved! Jump to solution

matt
Splunk Employee
Splunk Employee
‎01-28-2010 01:18 AM

sure but how do ensure that is the selection that they will always start with?

Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...