In Splunk when I click on a sourcetype in the list on the Summary page it executes a search on that sourcetype using the "All time" timerange. This doesn't make sense to me. Rarely do people want to see ALL the events from a particular source, they usually want to see recent logs. I'd like to change this so that when I click on a sourcetype it does a search on the last 15 minutes, not all time.
I tried the solutions mentioned here: http://answers.splunk.com/questions/1415/how-do-i-set-the-default-time-range
That solution seems to only change the interface, not the actual search value.
... View more