In Splunk when I click on a sourcetype in the list on the Summary page it executes a search on that sourcetype using the "All time" timerange. This doesn't make sense to me. Rarely do people want to see ALL the events from a particular source, they usually want to see recent logs. I'd like to change this so that when I click on a sourcetype it does a search on the last 15 minutes, not all time.
I tried the solutions mentioned here: http://answers.splunk.com/questions/1415/how-do-i-set-the-default-time-range
That solution seems to only change the interface, not the actual search value.
The reason why the "All time" range is selected when you click on the summaries displayed in the search app dashboard is that those numbers represent aggregate counts for exactly that time-range : All time!
Think of it this way : When you click on the dashboard entry that shows the 100,000 events of the syslog sourcetype that you have indexed so far, it makes sense to attempt to show you those 100,000 events by default.
If the behavior was different (for example, using the time range used last in the time picker), it would be misleading and lead to the invoked search not displaying the results advertised in the dashboard summary.
answered 15 Sep '10, 20:23
You're correct - the change as documented at http://answers.splunk.com/questions/1415/how-do-i-set-the-default-time-range applies only in the case where you first go to a view like flashtimeline, and then you type in a search and run it.
In the case where you're going to a view by interacting with elements in some other view, the effective time range is always set by the view that you are leaving. So essentially the XML config around those blue links in the dashboard view, are specifying to the target view that the search should be run over all time.
To make things a bit stranger, the lack of a time range in this context is interpreted as an 'All time' timerange.
Hexx is correct - one reason why Splunk does this is to maintain consistency -- click on foo (1,293) and you'll always get search results with 1,293 events in them.
However if that inconsistency doesnt bother you there is a way to change those links to be 24 hours.
Read on -- if you edit the XML for the summary page, you'll find three separate blocks where there are modules called SearchLinkLister. You'll need to nest a new HiddenSearch module into that stack to do this. This means indenting everything below the SearchLinkLister modules, and inserting this right under them:
answered 15 Sep '10, 20:26
1 way, modify the default dashboard to change the default selected item, for the default search app:
Take a look at this code snippit
and change this:
Just change the selected item to what ever default time range you'd like.
answered 15 Sep '10, 20:26