In Splunk when I click on a sourcetype in the list on the Summary page it executes a search on that sourcetype using the "All time" timerange. This doesn't make sense to me. Rarely do people want to see ALL the events from a particular source, they usually want to see recent logs. I'd like to change this so that when I click on a sourcetype it does a search on the last 15 minutes, not all time.
I tried the solutions mentioned here: http://answers.splunk.com/questions/1415/how-do-i-set-the-default-time-range
That solution seems to only change the interface, not the actual search value.
1 way, modify the default dashboard to change the default selected item, for the default search app:
$SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard.xml
Take a look at this code snippit
<module name="SearchBar" layoutPanel="splSearchControls-inline">
<param name="useAssistant">true</param>
<param name="useTypeahead">true</param>
<param name="useOwnSubmitButton">False</param>
<module name="TimeRangePicker">
<param name="selected">All time</param>
<param name="searchWhenChanged">False</param>
<module name="SubmitButton">
<param name="allowSoftSubmit">True</param>
<module name="ViewRedirector" layoutPanel="viewHeader">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
and change this:
<param name="selected">All time</param>
to this:
<param name="selected">Last 15 minutes</param>
Just change the selected item to what ever default time range you'd like.
Note: this will indeed change the timerange in the cases where you type into the search bar in the dashboard and then hit return. However it wont have any effect on the case where you're clicking one of the blue links on the dashboard-- those will continue to be over all time unless you insert a HiddenSearch module like I talk about.
You're correct - the change as documented at http://answers.splunk.com/questions/1415/how-do-i-set-the-default-time-range applies only in the case where you first go to a view like flashtimeline, and then you type in a search and run it.
In the case where you're going to a view by interacting with elements in some other view, the effective time range is always set by the view that you are leaving. So essentially the XML config around those blue links in the dashboard view, are specifying to the target view that the search should be run over all time.
To make things a bit stranger, the lack of a time range in this context is interpreted as an 'All time' timerange.
Hexx is correct - one reason why Splunk does this is to maintain consistency -- click on foo (1,293) and you'll always get search results with 1,293 events in them.
However if that inconsistency doesnt bother you there is a way to change those links to be 24 hours.
Read on -- if you edit the XML for the summary page, you'll find three separate blocks where there are modules called SearchLinkLister. You'll need to nest a new HiddenSearch module into that stack to do this. This means indenting everything below the SearchLinkLister modules, and inserting this right under them:
<module name="HiddenSearch">
<param name="earliest">-24h@h</param>
<param name="latest">now</param>
[[[ all remaining nested modules go here. ]]]
</module>
The reason why the "All time" range is selected when you click on the summaries displayed in the search app dashboard is that those numbers represent aggregate counts for exactly that time-range : All time!
Think of it this way : When you click on the dashboard entry that shows the 100,000 events of the syslog sourcetype that you have indexed so far, it makes sense to attempt to show you those 100,000 events by default.
If the behavior was different (for example, using the time range used last in the time picker), it would be misleading and lead to the invoked search not displaying the results advertised in the dashboard summary.