- Tom Kopchak
- Dec 19, 2019
- Tested on Splunk Version: 6.2+
Do you find yourself needing to run Splunk searches over a specific time range, or a relative range that doesn’t fit into one of the default defined ones? This tutorial will show you how to set up custom entries in the Splunk time range picker.
While working with data in Splunk from the National Collegiate Penetration Testing Competition–I have a multi-part blog series about this if you’re interested in finding out more about it–I found myself needing to frequently run searches over a couple defined time periods. Manually specifying this in each search as an earliest/latest pair or in the time range picker was annoying, so I wanted to do this an easier way–by configuring a custom entry in the Splunk GUI.
When doing a demo of this data at a recent meeting of the Cleveland Splunk User Group, many of the attendees were intrigued by my custom entries in the time range picker. Since this was a new feature for many of them, I figured a quick write up and demo of this functionality would be in order.
Time ranges are configured in Settings -> Knowledge -> User interface -> Time ranges section of the Splunk interface. To start, navigate to Settings -> User interface:
Then, select Time ranges:
Then, click New Time Range:
Configure your new time range. For this example, I’m specifying an absolute range using defined epoch values for the dates of each CPTC event. You can also use relative time ranges. For more details on available time modifiers, you can consult the Splunk documentation.
Once this is created, it will be defined locally for only your user. If you’re a Splunk admin, you will likely want to share this with other members of your organization. To do so, change the permissions for the object in Splunk.
For this example, I’m configuring the time range to be available globally for all apps, and available for everyone to use and admins to modify:
Once this is in place, you’re all done! Your custom time frame will be ready to use.
When running a Splunk search, you’ll notice a few new entries in the time range picker, in the “other” section:
When selecting one of these ranges, you will see the entire name show up in the time range picker with your search:
Everything in Splunk ends up being in a conf file somewhere, and this change is no exception. Since I made this search in the Searching and Reporting app, the relevant times.conf file ends up in $SPLUNK_HOME/etc/apps/search/local on the search head.
splunk@hdf-cptc-06:/opt/splunk/etc/apps/search/local$ cat times.conf [cptc_2019_nationals] earliest_time = 1574463600 label = 2019-CPTC-nationals latest_time = 1574582400 [cptc_2019_regionals] earliest_time = 1570842000 label = 2019-CPTC-regionals latest_time = 1570964400
Hopefully, this helps make your Splunk user experience a bit smoother. Based on the Splunk Docs revisions, this feature has existed since Splunk 6.2, so you should be able to put this into practice on any currently supported version. For more information, feel free to take a look at the Splunk Docs page for times.conf. Happy Splunking!
If you're looking for something different than the typical "one-size-fits-all" security mentality, you've come to the right place.