Splunk Search

how can I change the default search time for all users who are accessing a custom app i created?

splunkjpm
New Member

I would like to change the default search time for all users who select the custom app i have created from all time to only search by default the last 4 hrs. How can i make this change so that all users who select this custom app from their app dropdown menu will automatically get a default of 4 hrs for all searches they request, not all time?

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

In $SPLUNK_HOME/etc/system/default, you should have ui-prefs.conf file. Copy the same to $SPLUNK_HOME/etc/apps//default directory. Once copied, change following entries in the file. If your are able to find the file, just create ui-prefs.conf file in $SPLUNK_HOME/etc/apps//default with following entries.

dispatch.earliest_time = -4h@h
dispatch.latest_time = now

View solution in original post

mo_hassan
New Member

I don't know if the answer above was applicable to earlier versions of splunk. But as for 7.0.1 I did a diff on the entire etc directory before and after doing the change in the UI. And here is what I found:

diff -r etc/etc/apps/user-prefs/local/user-prefs.conf etc2/etc/apps/user-prefs/local/user-prefs.conf
2,3c2,3
< default_earliest_time = 0
< default_latest_time =

Basically modify/create /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
default_earliest_time = 0
default_latest_time =

0 Karma

splunkjpm
New Member

yes i did restart splunk but when app comes up it still shows all time, I did notice serveral reference to this change related to version 6 can you please confirm if this change is supported in 5.0.5 the version we are running on . Also to clarify we want the default for the search for this custom app for all user to be 4 hrs, not all time, even if they change the search time the next they access the custom app the default time that appears on the screen next to the search bar should be 4 hrs

0 Karma

hamid35
New Member

This is What you should do;

go to $SPLUNK_HOME/etc/system/local

create ui-prefs.conf file if it does not exist.

then place following in the file;

dispatch.earliest_time = -4h@h
dispatch.latest_time = now

restart splunk after.

Enjoy!!!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

And you restarted the splunk instance after the change?

0 Karma

splunkjpm
New Member

Thank you for the suggestion, since the ui-prefs.conf file did not exists in $SPLUNK_HOME/etc/system/default i created in in the default directory for my app and added in lines
dispatch.earliest_time = -4h@h
dispatch.latest_time = now
unfortunately it still does not work, when i access the app on the search bar it still has a default value of all time for the searches

I dont know if this mattr but we are running version 5.0.5 any other suggestions would be appreciated

0 Karma

somesoni2
SplunkTrust
SplunkTrust

In $SPLUNK_HOME/etc/system/default, you should have ui-prefs.conf file. Copy the same to $SPLUNK_HOME/etc/apps//default directory. Once copied, change following entries in the file. If your are able to find the file, just create ui-prefs.conf file in $SPLUNK_HOME/etc/apps//default with following entries.

dispatch.earliest_time = -4h@h
dispatch.latest_time = now

dseabury
Explorer

This worked for me. It may be obvious to many, but it seemed subtle to me. The solution mentions copying the ui-prefs.conf file to $SPLUNK_HOME/etc/apps//default directory. Those two slashes after apps imply that it be filled in with the target directory. In my case, I wanted to change the default time for all searches, so I copied ui-prefs.conf to $SPLUNK_HOME/etc/apps/search/default. I made the modifications indicated (there were actually a couple of stub blanks already in the file), restarted Splunk and my default search window is now 4 hours.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...