Documentation: 3.2.2
Print Version Contents
This page last updated: 06/24/08 03:06pm

Dynamic event rendering

Dynamic event rendering, or decoration, uses CSS to set how different types of events (including audit events) are displayed in Splunk Web based on criteria that you define. Add a text label or change the background color of an event in Splunk Web.

How dynamic event rendering works

Events displayed in Splunk Web as search results are decorated with CSS styles based on what audit event they represent, or what event type they are. If you have enabled auditing, Splunk identifies different audit events by default and populates the field _decorations with a string that represents the type of audit event that occurred.

The following is a list of audit event types:

  • audit_valid: the event is valid.
  • audit_gap: there is a gap between events that may indicate tampering.
  • audit_tampered: an event that has been tampered with.
  • audit_cantvalidate: tags events that can't be validated.

If you have not enabled auditing, the _decorations field is empty. Use any criteria you want to decorate an event by setting decorations for event types.

Event decorations

To set how events are decorated, edit the relevant CSS in $SPLUNK_HOME/share/splunk/search_oxiclean/static/css
default.css. If you want unique decorations for events displayed in the Splunk basic and black skins (or your custom skin), specify decorations in the respective CSS files in $SPLUNK_HOME/splunk/share/splunk/search_oxiclean/static/css/skins/ as well. If you use either the basic or black skins and don't specify a decoration for a given event type, Splunk Web uses the value from default.css.

Splunk comes with CSS styles predefined to:

  • add a text box to an event
  • change the background color behind the text of an event

Define any number of additional styles in the relevant Splunk Web style sheet.

Configure dynamic event rendering

Once you have defined CSS, specify which audit events and event types you want to decorate by configuring prefs.conf. Create your own prefs.conf and copy it into your own custom bundle directory. Do not edit the copy in $SPLUNK_HOME/etc/bundles/default.

Enable or disable dynamic event rendering

Turn dynamic event rendering on or off using the decoration_enabled key in prefs.conf. This key is boolean; when set to true, dynamic event rendering is turned ON.

decoration_enabled = True

Specify events to be rendered

You don't have to put decoration entries into prefs.conf in any specific order or stanza structure. Entries are identified by the keys themselves. So any entry in prefs.conf that begins with decoration_$EVENT is read as a key for an event decoration. To specify what you want decorated, set $EVENT to match your audit event or event type name.

The following is an example of an audit event decoration for valid events. It uses the classes defined in the CSS stylesheet to display a text label for all valid events:

decoration_audit_valid = {"align": "top", "wrapperclass": "defaultDecorationWrapperclass", "textclass": "auditValidTextclass", "text": "Valid." }

This is a similar audit event decoration for events that were tampered with: 

decoration_audit_tampered = {"align": "top", "wrapperclass": "defaultDecorationWrapperclass", "textclass": "auditTamperedTextclass", "text": "Tampered!"}

This is an event decoration for adding a text label to a diff event:

decoration_diff = {"align": "top", "wrapperclass": "diffHeaderWrapperclass", "text": "<pre>diff x y compares x to y<br/>- indicates a line present in x but missing in y<br/>+ indicates a line present in y but missing in x<br/>! indicates a line that exists in both x and y, but contains different information</pre>" }

Example

Here is a step-by-step example for configuring a custom decoration for a new event type. (To create decorations for an existing eventtype, skip the first step.)

1. Add to $SPLUNK_HOME/etc/bundles/local/eventtypes.conf:

eventtype=non-auth
search= * Failed authentication

2. Add the following to $SPLUNK_HOME/share/splunk/search_oxiclean/static/css/default.css (make a backup first):

.iErrorTextclass {
  padding-left: 20px;
  padding-top: 3px;
  padding-bottom: 3px;
  color: #A22;
}
.iErrorRowclass {
  background-color: #FAA !important;
}

3. Add to $SPLUNK_HOME/etc/bundles/local/prefs.conf:

decoration_non-auth={"align":"top","wrapperclass":"defaultDecorationWrapperclass","textclass":"iErrorTextclass", "text":"Intruder Alert."}

4. Add to $SPLUNK_HOME/etc/bundles/local/decorations.conf

non-auth=decoration_non-auth

5. Restart Splunk and clear your browser cache.

6. To see your new custom events, make sure you filter results to include the eventtype=non-auth.

Previous: Event type templates    |    Next: How transaction types work

Comments

  1. It has to be "True," with the "T" in upper-case. I've filed a bug.
    Posted by emma on Mar 21 2008, 3:28pm

  2. Setting "decoration_enabled = true" in my custom bundle's prefs.conf caused an error that would not allow any events to display. The event decorations however work without this line. Maybe it only needs set in the default/prefs.conf ?
    Posted by nate015 on Mar 21 2008, 11:38am

Log in to comment.