Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

default search timeframes

a212830
Champion
‎04-25-2012 11:46 AM

I tried doing this, and it worked for the Summary view, but once I picked on a specific source or sourcetype, it went back to "All Time". Is there a way to change the default so that when I go from Summary to an individual source/sourctype, it won't be "All Time"?

Tags (2)
0 Karma
Reply

baconm
Engager
‎09-27-2013 09:10 AM

This can also be set on a per-user basis in the etc/users//search/local/viewstates.conf file:

[flashtimeline:_current]
TimeRangePicker_0_1_0.default = Last 15 minutes

[dashboard_live:_current]
TimeRangePicker_0_1_0.default = Last 4 hours

Reply

lguinn2
Legend
‎04-25-2012 07:50 PM

You need to change this in all of the search views. For Splunk 4.3, there are two default search views in the Search app.

Look under Manager » User interface » Views and choose the App Context "search".
You should see a view named "flashtimeline" and a view named "dashboard_live". (BTW, dashboard_live is the name of the Summary view.)

Edit each view by clicking on its name. Look for the two lines

<module name="TimeRangePicker">
    <param name="selected">All time</param>

Change All time to the default time range of your choice. Spell it exactly as it appears in the time range picker drop-down. For example

<module name="TimeRangePicker">
    <param name="selected">Last 60 minutes</param>

Save your edits.

When you have done this for both views, you will have altered the defaults. If you have other, custom search views, you may need to edit them as well. And you may need to repeat this when you install updates to Splunk. Fortunately, it is easy to do.

Reply

ChrisG
Splunk Employee
Splunk Employee
‎01-03-2014 02:41 PM

In 6.0, use the ui-prefs.conf file. See http://docs.splunk.com/Documentation/Splunk/6.0.1/Search/Selecttimerangestoapply#Change_the_default_....

Reply

JimDeich
Path Finder
‎12-02-2013 01:31 PM

For version 6.0 I put in the changes in Manager » User interface » Views

on but the default still shows as "All time"
Are there other views to be added for Splunk 6 ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...