TIPS & TRICKS

How to modify the 2.1 UI’s default behaviour to only search recent events

iIf you only ever care about the last few hours or the last day of your data, this simple change will speed up your search results tremendously. Until our next big release which will basically be this way by default, here’s how you can do this in 2.1 code.

This is a change in three places, but fortunately very fast to make, and all in the same file.
$SPLUNK_HOME/share/splunk/search/dynamic/main_ui.html

Note: The example here will set your UI to search only the past 6 hours by default. After doing this it should be easy to see how to change it to search 1 day, or 45 minutes etc…

Note: Also you dont need to restart the front end to see these changes, but you DO have to refresh your browser by clicking the refresh button up top.

step 1) around line 70, change
<div class=”#productVersion#Version landingPageState #userType#User noTimeFields eventsTab relativeTimeMode #dynamicallySetStates#” id=”outerWrapper” />

to
<div class=”#productVersion#Version landingPageState #userType#User eventsTab relativeTimeMode #dynamicallySetStates#” id=”outerWrapper” />
(basically this removes the ‘noTimeFields’ state so the time controls are now open by default)

step 2) around line 122 of the same file, change
<input type=”text” id=”relStartTime” />

to
<input type=”text” value=”6″ id=”relStartTime” />

(now the UI will load with “6″ already entered into the relative start field)

step 3) around line 125, still in the same file, change
<option value=”hours”>Hours ago</option>

to
<option value=”hours” selected=”selected”>Hours ago</option>

(this means that hours will be selected by default. instead of minutes

That’s it. You’re done. Refresh your browser and the UI will now restrict it’s searches to the most recent 6 hours by default. If you really only ever care about the last 2 hours, switching it to 2 hrs may speed you up even more.

Splunk
Posted by

Splunk

Join the Discussion