Splunk Search

How do change the default search period for an app?

matt
Splunk Employee
Splunk Employee

How can I change the default search period for an app so that my users search the last 15 minutes by default instead of all time?

1 Solution

rithy
Splunk Employee
Splunk Employee

In order to establish the default value for time range, the viewstates.conf file will need to be modified.

The stanza that needs to either be modified or added is below:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

In the example above, the default option is 4 hours. For last 60 minutes, you would change the "Last 4 hours" to "Last 60 minutes".

Now, to make the actual modification, you'll need to do it in 2 separate locations - one for current users and another for new users.

Current users: 1. Navigate to $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf 2. Edit viewstates.conf 3. Modify the "TimeRangePicker_0_1_0.default" to your liking

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save NOTE: No need to restart Splunk for this change to take effect as it is parsed at login time.

New users: 1. Navigate to $SPLUNK_HOME/etc/apps/search/local 2. If viewstates.conf does not exist, create a text file, rename to viewstates.conf and add the following lines:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save file
  2. Restart Splunk -- IMPORTANT!!!!

NOTE: If a user changes the search to "All Time", the default for that specific user will be changed from your default choice to "All Time".

Again, replace "Last 4 hours" with the specific default time range you would like your NEW users to have.

View solution in original post

mslvrstn
Communicator

The instructions in rithy's answer above did not quite work for me on a 4.2.2 system.
I got it to work with these stanzas:

[dashboard_live:_current]
TimeRangePicker_0_1_0.default = Last 4 hours

[flashtimeline:_current]
TimeRangePicker_0_1_0.default = Last 4 hours

in the viewstates.conf files previously mentioned:

  • $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf

or

  • $SPLUNK_HOME/etc/apps/search/local/viewstates.conf

The minor difference being dashboard becomes dashboard_live and the additional flashtimeline entry.

rajiv_kumar
Path Finder

I used to see, some user won't bother what is period selected in search. So, I am looking, it should not change default search period for an app?

In the above solution, it seems, once user change the default period, it will change. Please advise if any one has solution.

0 Karma

rithy
Splunk Employee
Splunk Employee

In order to establish the default value for time range, the viewstates.conf file will need to be modified.

The stanza that needs to either be modified or added is below:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

In the example above, the default option is 4 hours. For last 60 minutes, you would change the "Last 4 hours" to "Last 60 minutes".

Now, to make the actual modification, you'll need to do it in 2 separate locations - one for current users and another for new users.

Current users: 1. Navigate to $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf 2. Edit viewstates.conf 3. Modify the "TimeRangePicker_0_1_0.default" to your liking

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save NOTE: No need to restart Splunk for this change to take effect as it is parsed at login time.

New users: 1. Navigate to $SPLUNK_HOME/etc/apps/search/local 2. If viewstates.conf does not exist, create a text file, rename to viewstates.conf and add the following lines:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save file
  2. Restart Splunk -- IMPORTANT!!!!

NOTE: If a user changes the search to "All Time", the default for that specific user will be changed from your default choice to "All Time".

Again, replace "Last 4 hours" with the specific default time range you would like your NEW users to have.

piebob
Splunk Employee
Splunk Employee

you can specify a custom default search period in a copy of times.conf for your app. if you're using saved searches for your app, you could also specify the time range in the search, as described here: http://docs.splunk.com/Documentation/Splunk/4.2.2/User/ChangeTheTimeRangeOfYourSearch

Glenn
Builder

This would be useful, my users often set it to all time, which then stays as the default until they change it. Then their searches take ages and slow down the whole system. I know I could customise their timerangepicker but resetting their default selection would be useful also.

matt
Splunk Employee
Splunk Employee

sure but how do ensure that is the selection that they will always start with?

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...