Currently when building a pivot table the default time is set to "All Time".
Is it possible to set it to some other value? I've tried overriding it by
adding the following entries to $SPLUNK_HOME/etc/system/local/ui-prefs.conf,
but they have no effect. We're running Splunk 6.1.1.
[pivot]
dispatch.earliest_time = -7d
dispatch.latest_time = now
[search]
dispatch.earliest_time = -7d
dispatch.latest_time = now
[default]
dispatch.earliest_time = -7d
dispatch.latest_time = now
Try this:
[general_default]
default_namespace = launcher
appOrder = search
default_earliest_time = -48h
default_latest_time = now
Tried this on the search heads. Restarted them but the default Time Picker in Pivot Edit is still "All Time". We are also trying to promote the user of Data Models, but the default "All Time" is a real concern, as most biz users will use whatever default is there, and all these will put lots of strain on the servers.
Bump -- Any updates on this? Certainly this would be a good thing to have.
Agreed. We'd like to open the pivot interface up to more people, but if we're going to allow them to experiment on their own with writing them, we cannot have the default set to All Time. Please allow a method to change this, or at least change the DEFAULT to something much more reasonable.
Bump, I am in the same boat as tmeader. We've moved a good deal of our data into models, and want to open up access to our less technical users via the pivot screen. However, I cannot have a flood of users searching huge data sets all time.
Not at present, but there is a feature request in place to address this. Look for the change in a future release.
Did you find a solution to this?
Try this
[general_default]
default_namespace = launcher
appOrder = search
default_earliest_time = -48h
default_latest_time = now