Splunk Search

how can I change the default search time for all users who are accessing a custom app i created?

splunkjpm
Loves-to-Learn Lots

I would like to change the default search time for all users who select the custom app i have created from all time to only search by default the last 4 hrs. How can i make this change so that all users who select this custom app from their app dropdown menu will automatically get a default of 4 hrs for all searches they request, not all time?

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

In $SPLUNK_HOME/etc/system/default, you should have ui-prefs.conf file. Copy the same to $SPLUNK_HOME/etc/apps//default directory. Once copied, change following entries in the file. If your are able to find the file, just create ui-prefs.conf file in $SPLUNK_HOME/etc/apps//default with following entries.

dispatch.earliest_time = -4h@h
dispatch.latest_time = now

View solution in original post

mo_hassan
New Member

I don't know if the answer above was applicable to earlier versions of splunk. But as for 7.0.1 I did a diff on the entire etc directory before and after doing the change in the UI. And here is what I found:

diff -r etc/etc/apps/user-prefs/local/user-prefs.conf etc2/etc/apps/user-prefs/local/user-prefs.conf
2,3c2,3
< default_earliest_time = 0
< default_latest_time =

Basically modify/create /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
default_earliest_time = 0
default_latest_time =

0 Karma

splunkjpm
Loves-to-Learn Lots

yes i did restart splunk but when app comes up it still shows all time, I did notice serveral reference to this change related to version 6 can you please confirm if this change is supported in 5.0.5 the version we are running on . Also to clarify we want the default for the search for this custom app for all user to be 4 hrs, not all time, even if they change the search time the next they access the custom app the default time that appears on the screen next to the search bar should be 4 hrs

0 Karma

hamid35
New Member

This is What you should do;

go to $SPLUNK_HOME/etc/system/local

create ui-prefs.conf file if it does not exist.

then place following in the file;

dispatch.earliest_time = -4h@h
dispatch.latest_time = now

restart splunk after.

Enjoy!!!

0 Karma

somesoni2
Revered Legend

And you restarted the splunk instance after the change?

0 Karma

splunkjpm
Loves-to-Learn Lots

Thank you for the suggestion, since the ui-prefs.conf file did not exists in $SPLUNK_HOME/etc/system/default i created in in the default directory for my app and added in lines
dispatch.earliest_time = -4h@h
dispatch.latest_time = now
unfortunately it still does not work, when i access the app on the search bar it still has a default value of all time for the searches

I dont know if this mattr but we are running version 5.0.5 any other suggestions would be appreciated

0 Karma

somesoni2
Revered Legend

In $SPLUNK_HOME/etc/system/default, you should have ui-prefs.conf file. Copy the same to $SPLUNK_HOME/etc/apps//default directory. Once copied, change following entries in the file. If your are able to find the file, just create ui-prefs.conf file in $SPLUNK_HOME/etc/apps//default with following entries.

dispatch.earliest_time = -4h@h
dispatch.latest_time = now

dseabury
Explorer

This worked for me. It may be obvious to many, but it seemed subtle to me. The solution mentions copying the ui-prefs.conf file to $SPLUNK_HOME/etc/apps//default directory. Those two slashes after apps imply that it be filled in with the target directory. In my case, I wanted to change the default time for all searches, so I copied ui-prefs.conf to $SPLUNK_HOME/etc/apps/search/default. I made the modifications indicated (there were actually a couple of stub blanks already in the file), restarted Splunk and my default search window is now 4 hours.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...