- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: On a Splunk Enterprise deployer, how do I chan...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On a Splunk Enterprise deployer, how do I change the default time selection on a search head cluster?
I have a Splunk instance that I'm using as a deployer called halfiron. I created user-prefs.conf in this directory. (/opt/etc/shcluster/apps/halfiron/user-prefs.conf) The contents of user-prefs.conf is:
[general]
default_earliest_time = @d
default_latest_time = now
On my deployer, I execute: splunk apply shcluster-bundle -target https://xxx.xxx.xxx.xxx:8089.
On one of my search head members, I review configuration.
splunk cmd btool user-prefs list --debug
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf [general]
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf datasets:showInstallDialog = 1
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_assistant = compact
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_auto_format = 0
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_line_numbers = 0
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_syntax_highlighting = light
/opt/splunk/etc/apps/halfiron/default/user-prefs.conf [general_default]
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf appOrder = search
/opt/splunk/etc/apps/halfiron/default/user-prefs.conf default_earliest_time = @d
/opt/splunk/etc/apps/halfiron/default/user-prefs.conf default_latest_time = now
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf default_namespace = $default
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf hideInstrumentationOptInModal = 0
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf showWhatsNew = 1
My default time selection does not change from 24 hours to Today.
I tried changing [general] to [search], [general_default] and none worked. I tried these same settings in ui-prefs.conf. Can't seem to get the default time selection to be "Today."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pushing a bundle does not work for us. making a manual modification to the /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf does work. and yes a user change will override the settings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Parameters you used dispatch_earliest_time and dispatch_latest_time however correct parameters are dispatch.earliest_time and dispatch.latest_time as per answer given by me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made certain to copy/paste your exact stanza.
[search]
dispatch.earliest_time = @d
dispatch.latest_time = now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And it didn’t worked? If not can you please paste output again of btool after changes you made in ui-prefs.conf . Also which version of Splunk are you running?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
btool finds the information just fine over on the search head. Running 6.6.4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Silly question but have you tried in different browser, maybe try in Incognito mode ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not a silly question -- yes, already tried a different browser.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using latest version of splunk (6.6.x & 7.x.x), there is an option to set this from web under "Settings >> Server settings (under system) >> Search preferences".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem we encountered is with a search head cluster. This solution is for a stand-alone search head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah. I see. Pushing configuration bundle from deployer will end up in default directory even though they're present in local on deployer.
Try below and see if it works:
Create a local directory inside
user-prefsapp on each SH manually.
Make your changes there in order for splunk to overwritedefault.earliest_time = -24h@hsetting
Perform debug refresh since this is a search-time change - https://yoursplunkVIP/en-US/debug/refresh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you please configure ui-prefs.conf in your app on your Deployer ( $SPLUNK_HOME/etc/shcluster/apps/<YOUR_APP>/local/ui-prefs.conf ) with below configuration
[search]
dispatch.earliest_time = @d
dispatch.latest_time = now
Then push the bundle from Deployer to Search Heads.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
