The following are the spec and example files for
# Version 7.0.1 # # This file contains possible attribute/value pairs for creating custom time # ranges. # # To set custom configurations, place a times.conf in # $SPLUNK_HOME/etc/system/local/. For help, see times.conf.example. You # must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
# Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top # of the file. # * Each conf file should have at most one default stanza. If there are # multiple default stanzas, attributes are combined. In the case of # multiple definitions of the same attribute, the last definition in the # file wins. # * If an attribute is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence.
* The token to be used when accessing time ranges via the API or command line * A times.conf file can contain multiple stanzas. label = <string> * The textual description used by the UI to reference this time range * Required header_label = <string> * The textual description used by the UI when displaying search results in this time range. * Optional. If omitted, the <timerange_name> is used instead. earliest_time = <string> * The string that represents the time of the earliest event to return, inclusive. * The time can be expressed with a relative time identifier or in epoch time. * Optional. If omitted, no earliest time bound is used. latest_time = <string> * The string that represents the time of the earliest event to return, inclusive. * The time can be expressed with a relative time identifier or in epoch time. * Optional. If omitted, no latest time bound is used. NOTE: events that occur in the future (relative to the server timezone) may be returned. order = <integer> * The key on which all custom time ranges are sorted, ascending. * The default time range selector in the UI will merge and sort all time ranges according to the 'order' key, and then alphabetically. * Optional. Default value is 0. sub_menu = <submenu name> * If present, the time range is to be shown in the given submenu instead of in the main menu. * The value for this key must be the label key of an existing stanza name, and that stanza name must have an is_sub_menu = True key * Optional. If omitted the given time option will display in the main menu. is_sub_menu = <boolean> * If True, the given item is only the 'opener' element for a submenu. * Stanzas containing this key can still be assigned an order value to set the placement within the main menu, but can not themselves have latest_time nor earliest_time keys.
# Version 7.0.1 # # This is an example times.conf. Use this file to create custom time ranges # that can be used while interacting with the search system. # # To use one or more of these configurations, copy the configuration block # into times.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk # to enable configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # Note: These are examples. Replace the values with your own customizations. # The stanza name is an alphanumeric string (no spaces) that uniquely # identifies a time range. [this_business_week] # Define the label used in the time range control label = This business week # Define the label to be used in display headers. If omitted the 'label' key # will be used with the first letter lowercased. header_label = during this business week earliest_time = +1d@w1 latest_time = +6d@w6 # Define the ordering sequence of this time range. All time ranges are # sorted numerically, ascending. If the time range is in a sub menu and not # in the main menu, this will determine the position within the sub menu. order = 110 # a time range that only has a bound on the earliest time # [last_3_hours] label = Last 3 hours header_label = in the last 3 hours earliest_time = -3h order = 30 # Use epoch time notation to define the time bounds for the Fall Semester # 2013, where earliest_time is 9/4/13 00:00:00 and latest_time is 12/13/13 # 00:00:00. # [Fall_2013] label = Fall Semester 2013 earliest_time = 1378278000 latest_time = 1386921600 # two time ranges that should appear in a sub menu instead of in the main # menu. the order values here determine relative ordering within the # submenu. # [yesterday] label = Yesterday earliest_time = -1d@d latest_time = @d order = 10 sub_menu = Other options [day_before_yesterday] label = Day before yesterday header_label = from the day before yesterday earliest_time = -2d@d latest_time = -1d@d order = 20 sub_menu = Other options # # The sub menu item that should contain the previous two time ranges. The # order key here determines the submenu opener's placement within the main # menu. # [other] label = Other options order = 202
This documentation applies to the following versions of Splunk® Enterprise: 7.0.1