Getting Data In

Why is my ui-prefs.conf change to make the default search time range 15 minutes in all apps not being respected?

daniel333
Builder

Goal - Change the default time of search to 15 minutes in all apps.

I created a ui-prefs.conf in the local of the search app, but this didn't work. I also tried in the local of the system and didn't work. I believe this should set my default time in search to 15 minutes, but with no luck at all.

[search]
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
Tags (2)
0 Karma

pellegrini
Path Finder

This config will not take effect if there is cached user config overriding it, like @ltrand says. 

Wipe out this directory for each user will work but it removes user search history etc. Also, after removing directory or config, a restart is needed. A more controlled way would be only to remove the affected stanza.

For example user Bart have used the Search app but not the MyOwnApp. Then these config changes wiil take effect for app MyOwnApp but not for the Search app. To have this change take effect for Search app as well, do this:

-bash-4.2$ pwd
/opt/splunk/etc/users/bart/search
-bash-4.2$ ll
total 0
drwx------ 2 splunk splunk 52 Nov 24 08:08 history
drwx------ 2 splunk splunk 26 Sep 24 22:03 local
drwx------ 2 splunk splunk 23 Sep 24 22:03 metadata
-bash-4.2$ ll local/
total 4
-rw------- 1 splunk splunk 9 Sep 24 22:03 ui-prefs.conf
-bash-4.2$ cat local/ui-prefs.conf
[search]
-bash-4.2$

 Remove the search stanza header and restart splunk.

0 Karma

lakromani
Builder

PS its better to use -15m instead of -15m@m

0 Karma

ChrisG
Splunk Employee
Splunk Employee

There is a long discussion of a similar question already posted to Splunk Answers.

That question is about making the change persistent in the search app.

However, this specific answer to the question seems to suggest that creating dispatch.earliest and dispatch.latest settings in $SPLUNK_HOME/etc/system/local/ui-prefs.conf, using a stanza for each app, might work.

0 Karma

ltrand
Contributor

Have you checked to see if the user level preferences are overriding this? Every time I need to change this I have to wipe out the user/app/local/ui-prefs.conf for it to work.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...