Splunk Search

How to change default from "All time" in Pivot time filter?

jwebster0000
Engager

Currently when building a pivot table the default time is set to "All Time".
Is it possible to set it to some other value? I've tried overriding it by
adding the following entries to $SPLUNK_HOME/etc/system/local/ui-prefs.conf,
but they have no effect. We're running Splunk 6.1.1.

[pivot]

dispatch.earliest_time = -7d

dispatch.latest_time = now

[search]

dispatch.earliest_time = -7d

dispatch.latest_time = now

[default]

dispatch.earliest_time = -7d

dispatch.latest_time = now

Tags (3)

strive
Influencer

Try this:

[general_default]
default_namespace = launcher
appOrder = search
default_earliest_time = -48h
default_latest_time = now
0 Karma

patng_nw
Communicator

Tried this on the search heads.  Restarted them but the default Time Picker in Pivot Edit is still "All Time".  We are also trying to promote the user of Data Models, but the default "All Time" is a real concern, as most biz users will use whatever default is there, and all these will put lots of strain on the servers.

0 Karma

w531t4
Path Finder

Bump -- Any updates on this? Certainly this would be a good thing to have.

0 Karma

tmeader
Contributor

Agreed. We'd like to open the pivot interface up to more people, but if we're going to allow them to experiment on their own with writing them, we cannot have the default set to All Time. Please allow a method to change this, or at least change the DEFAULT to something much more reasonable.

mholme59
Explorer

Bump, I am in the same boat as tmeader. We've moved a good deal of our data into models, and want to open up access to our less technical users via the pivot screen. However, I cannot have a flood of users searching huge data sets all time.

sowings
Splunk Employee
Splunk Employee

Not at present, but there is a feature request in place to address this. Look for the change in a future release.

pradeepkumarg
Influencer

Did you find a solution to this?

0 Karma

strive
Influencer

Try this

[general_default]
default_namespace = launcher
appOrder = search
default_earliest_time = -48h
default_latest_time = now
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...