Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

default search timeframes

a212830
Champion
‎04-25-2012 11:46 AM

I tried doing this, and it worked for the Summary view, but once I picked on a specific source or sourcetype, it went back to "All Time". Is there a way to change the default so that when I go from Summary to an individual source/sourctype, it won't be "All Time"?

Tags (2)
0 Karma
Reply

baconm
Engager
‎09-27-2013 09:10 AM

This can also be set on a per-user basis in the etc/users//search/local/viewstates.conf file:

[flashtimeline:_current]
TimeRangePicker_0_1_0.default = Last 15 minutes

[dashboard_live:_current]
TimeRangePicker_0_1_0.default = Last 4 hours

Reply

lguinn2
Legend
‎04-25-2012 07:50 PM

You need to change this in all of the search views. For Splunk 4.3, there are two default search views in the Search app.

Look under Manager » User interface » Views and choose the App Context "search".
You should see a view named "flashtimeline" and a view named "dashboard_live". (BTW, dashboard_live is the name of the Summary view.)

Edit each view by clicking on its name. Look for the two lines

<module name="TimeRangePicker">
    <param name="selected">All time</param>

Change All time to the default time range of your choice. Spell it exactly as it appears in the time range picker drop-down. For example

<module name="TimeRangePicker">
    <param name="selected">Last 60 minutes</param>

Save your edits.

When you have done this for both views, you will have altered the defaults. If you have other, custom search views, you may need to edit them as well. And you may need to repeat this when you install updates to Splunk. Fortunately, it is easy to do.

Reply

ChrisG
Splunk Employee
Splunk Employee
‎01-03-2014 02:41 PM

In 6.0, use the ui-prefs.conf file. See http://docs.splunk.com/Documentation/Splunk/6.0.1/Search/Selecttimerangestoapply#Change_the_default_....

Reply

JimDeich
Path Finder
‎12-02-2013 01:31 PM

For version 6.0 I put in the changes in Manager » User interface » Views

on but the default still shows as "All time"
Are there other views to be added for Splunk 6 ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...