Splunk Search

how can I change the default search time for all users who are accessing a custom app i created?

New Member

I would like to change the default search time for all users who select the custom app i have created from all time to only search by default the last 4 hrs. How can i make this change so that all users who select this custom app from their app dropdown menu will automatically get a default of 4 hrs for all searches they request, not all time?

Tags (3)
0 Karma
1 Solution

Revered Legend

In $SPLUNK_HOME/etc/system/default, you should have ui-prefs.conf file. Copy the same to $SPLUNK_HOME/etc/apps//default directory. Once copied, change following entries in the file. If your are able to find the file, just create ui-prefs.conf file in $SPLUNK_HOME/etc/apps//default with following entries.

dispatch.earliest_time = -4h@h
dispatch.latest_time = now

View solution in original post

New Member

I don't know if the answer above was applicable to earlier versions of splunk. But as for 7.0.1 I did a diff on the entire etc directory before and after doing the change in the UI. And here is what I found:

diff -r etc/etc/apps/user-prefs/local/user-prefs.conf etc2/etc/apps/user-prefs/local/user-prefs.conf
2,3c2,3
< default_earliest_time = 0
< default_latest_time =

Basically modify/create /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
default_earliest_time = 0
default_latest_time =

0 Karma

New Member

yes i did restart splunk but when app comes up it still shows all time, I did notice serveral reference to this change related to version 6 can you please confirm if this change is supported in 5.0.5 the version we are running on . Also to clarify we want the default for the search for this custom app for all user to be 4 hrs, not all time, even if they change the search time the next they access the custom app the default time that appears on the screen next to the search bar should be 4 hrs

0 Karma

New Member

This is What you should do;

go to $SPLUNK_HOME/etc/system/local

create ui-prefs.conf file if it does not exist.

then place following in the file;

dispatch.earliest_time = -4h@h
dispatch.latest_time = now

restart splunk after.

Enjoy!!!

0 Karma

Revered Legend

And you restarted the splunk instance after the change?

0 Karma

New Member

Thank you for the suggestion, since the ui-prefs.conf file did not exists in $SPLUNK_HOME/etc/system/default i created in in the default directory for my app and added in lines
dispatch.earliest_time = -4h@h
dispatch.latest_time = now
unfortunately it still does not work, when i access the app on the search bar it still has a default value of all time for the searches

I dont know if this mattr but we are running version 5.0.5 any other suggestions would be appreciated

0 Karma

Revered Legend

In $SPLUNK_HOME/etc/system/default, you should have ui-prefs.conf file. Copy the same to $SPLUNK_HOME/etc/apps//default directory. Once copied, change following entries in the file. If your are able to find the file, just create ui-prefs.conf file in $SPLUNK_HOME/etc/apps//default with following entries.

dispatch.earliest_time = -4h@h
dispatch.latest_time = now

View solution in original post

Explorer

This worked for me. It may be obvious to many, but it seemed subtle to me. The solution mentions copying the ui-prefs.conf file to $SPLUNK_HOME/etc/apps//default directory. Those two slashes after apps imply that it be filled in with the target directory. In my case, I wanted to change the default time for all searches, so I copied ui-prefs.conf to $SPLUNK_HOME/etc/apps/search/default. I made the modifications indicated (there were actually a couple of stub blanks already in the file), restarted Splunk and my default search window is now 4 hours.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!