How to Set Custom Time Range Presets in Splunk

While working with data in Splunk from the National Collegiate Penetration Testing Competition–I have a multi-part blog series about this if you’re interested in finding out more about it–I found myself needing to frequently run searches over a couple defined time periods. Manually specifying this in each search as an earliest/latest pair or in the time range picker was annoying, so I wanted to do this an easier way–by configuring a custom entry in the Splunk GUI.

When doing a demo of this data at a recent meeting of the Cleveland Splunk User Group, many of the attendees were intrigued by my custom entries in the time range picker. Since this was a new feature for many of them, I figured a quick write up and demo of this functionality would be in order.

Configuring a Custom Time Range

Time ranges are configured in Settings -> Knowledge -> User interface -> Time ranges section of the Splunk interface. To start, navigate to Settings -> User interface:

Then, select Time ranges:

Then, click New Time Range:

Configure your new time range. For this example, I’m specifying an absolute range using defined epoch values for the dates of each CPTC event. You can also use relative time ranges. For more details on available time modifiers, you can consult the Splunk documentation.

Once this is created, it will be defined locally for only your user. If you’re a Splunk admin, you will likely want to share this with other members of your organization. To do so, change the permissions for the object in Splunk.

For this example, I’m configuring the time range to be available globally for all apps, and available for everyone to use and admins to modify:

Once this is in place, you’re all done! Your custom time frame will be ready to use.

What This Looks like in Practice

When running a Splunk search, you’ll notice a few new entries in the time range picker, in the “other” section:

When selecting one of these ranges, you will see the entire name show up in the time range picker with your search:

Under the Hood

Everything in Splunk ends up being in a conf file somewhere, and this change is no exception. Since I made this search in the Searching and Reporting app, the relevant times.conf file ends up in $SPLUNK_HOME/etc/apps/search/local on the search head.

Wrap Up

Hopefully, this helps make your Splunk user experience a bit smoother. Based on the Splunk Docs revisions, this feature has existed since Splunk 6.2, so you should be able to put this into practice on any currently supported version. For more information, feel free to take a look at the Splunk Docs page for times.conf. Happy Splunking!