Splunk Search
Highlighted

How do change the default search period for an app?

Splunk Employee
Splunk Employee

How can I change the default search period for an app so that my users search the last 15 minutes by default instead of all time?

Highlighted

Re: How do change the default search period for an app?

Splunk Employee
Splunk Employee

you can specify a custom default search period in a copy of times.conf for your app. if you're using saved searches for your app, you could also specify the time range in the search, as described here: http://docs.splunk.com/Documentation/Splunk/4.2.2/User/ChangeTheTimeRangeOfYourSearch

Highlighted

Re: How do change the default search period for an app?

Splunk Employee
Splunk Employee

sure but how do ensure that is the selection that they will always start with?

Highlighted

Re: How do change the default search period for an app?

Builder

This would be useful, my users often set it to all time, which then stays as the default until they change it. Then their searches take ages and slow down the whole system. I know I could customise their timerangepicker but resetting their default selection would be useful also.

Highlighted

Re: How do change the default search period for an app?

Splunk Employee
Splunk Employee

In order to establish the default value for time range, the viewstates.conf file will need to be modified.

The stanza that needs to either be modified or added is below:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

In the example above, the default option is 4 hours. For last 60 minutes, you would change the "Last 4 hours" to "Last 60 minutes".

Now, to make the actual modification, you'll need to do it in 2 separate locations - one for current users and another for new users.

Current users: 1. Navigate to $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf 2. Edit viewstates.conf 3. Modify the "TimeRangePicker_0_1_0.default" to your liking

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save NOTE: No need to restart Splunk for this change to take effect as it is parsed at login time.

New users: 1. Navigate to $SPLUNK_HOME/etc/apps/search/local 2. If viewstates.conf does not exist, create a text file, rename to viewstates.conf and add the following lines:

[dashboard:_current] TimeRangePicker_0_1_0.default = Last 4 hours

  1. Save file
  2. Restart Splunk -- IMPORTANT!!!!

NOTE: If a user changes the search to "All Time", the default for that specific user will be changed from your default choice to "All Time".

Again, replace "Last 4 hours" with the specific default time range you would like your NEW users to have.

View solution in original post

Highlighted

Re: How do change the default search period for an app?

Path Finder

I used to see, some user won't bother what is period selected in search. So, I am looking, it should not change default search period for an app?

In the above solution, it seems, once user change the default period, it will change. Please advise if any one has solution.

0 Karma
Highlighted

Re: How do change the default search period for an app?

Communicator

The instructions in rithy's answer above did not quite work for me on a 4.2.2 system.
I got it to work with these stanzas:

[dashboard_live:_current]
TimeRangePicker_0_1_0.default = Last 4 hours

[flashtimeline:_current]
TimeRangePicker_0_1_0.default = Last 4 hours

in the viewstates.conf files previously mentioned:

  • $SPLUNK_HOME/etc/users/ [your user] /search/local/viewstates.conf

or

  • $SPLUNK_HOME/etc/apps/search/local/viewstates.conf

The minor difference being dashboard becomes dashboard_live and the additional flashtimeline entry.