Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I change the default time range of the search that is run when clicking on the summary of the search app dashboard?

dmalament
Engager
‎09-15-2010 07:17 PM

In Splunk when I click on a sourcetype in the list on the Summary page it executes a search on that sourcetype using the "All time" timerange. This doesn't make sense to me. Rarely do people want to see ALL the events from a particular source, they usually want to see recent logs. I'd like to change this so that when I click on a sourcetype it does a search on the last 15 minutes, not all time.

I tried the solutions mentioned here: http://answers.splunk.com/questions/1415/how-do-i-set-the-default-time-range

That solution seems to only change the interface, not the actual search value.

Tags (2)
Reply

bbingham
Builder
‎09-15-2010 08:26 PM

1 way, modify the default dashboard to change the default selected item, for the default search app:

$SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard.xml

Take a look at this code snippit

<module name="SearchBar" layoutPanel="splSearchControls-inline">
      <param name="useAssistant">true</param>
      <param name="useTypeahead">true</param>
      <param name="useOwnSubmitButton">False</param>
      <module name="TimeRangePicker">
          <param name="selected">All time</param>
          <param name="searchWhenChanged">False</param>
          <module name="SubmitButton">
              <param name="allowSoftSubmit">True</param>
              <module name="ViewRedirector" layoutPanel="viewHeader">
                  <param name="viewTarget">flashtimeline</param>
              </module>
          </module>
      </module>

and change this:

 <param name="selected">All time</param>

to this:

 <param name="selected">Last 15 minutes</param>

Just change the selected item to what ever default time range you'd like.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-15-2010 10:48 PM

Note: this will indeed change the timerange in the cases where you type into the search bar in the dashboard and then hit return. However it wont have any effect on the case where you're clicking one of the blue links on the dashboard-- those will continue to be over all time unless you insert a HiddenSearch module like I talk about.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-15-2010 08:26 PM

You're correct - the change as documented at http://answers.splunk.com/questions/1415/how-do-i-set-the-default-time-range applies only in the case where you first go to a view like flashtimeline, and then you type in a search and run it.

In the case where you're going to a view by interacting with elements in some other view, the effective time range is always set by the view that you are leaving. So essentially the XML config around those blue links in the dashboard view, are specifying to the target view that the search should be run over all time.

To make things a bit stranger, the lack of a time range in this context is interpreted as an 'All time' timerange.

Hexx is correct - one reason why Splunk does this is to maintain consistency -- click on foo (1,293) and you'll always get search results with 1,293 events in them.

However if that inconsistency doesnt bother you there is a way to change those links to be 24 hours.

Read on -- if you edit the XML for the summary page, you'll find three separate blocks where there are modules called SearchLinkLister. You'll need to nest a new HiddenSearch module into that stack to do this. This means indenting everything below the SearchLinkLister modules, and inserting this right under them: 

<module name="HiddenSearch">
  <param name="earliest">-24h@h</param>
  <param name="latest">now</param>
  [[[ all remaining nested modules go here.  ]]]
</module>
Reply

hexx
Splunk Employee
Splunk Employee
‎09-15-2010 08:23 PM

The reason why the "All time" range is selected when you click on the summaries displayed in the search app dashboard is that those numbers represent aggregate counts for exactly that time-range : All time!

Think of it this way : When you click on the dashboard entry that shows the 100,000 events of the syslog sourcetype that you have indexed so far, it makes sense to attempt to show you those 100,000 events by default.

If the behavior was different (for example, using the time range used last in the time picker), it would be misleading and lead to the invoked search not displaying the results advertised in the dashboard summary.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...