Documentation: 3.3.4
Print Version Contents
This page last updated: 07/01/08 03:07pm

prefs.conf

prefs.conf controls per-user settings including SplunkWeb search and result display preferences and dashboard layout.

prefs.conf.spec

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible attributes and value pairs for a prefs.conf
# file.  Use this file to configure display preferences in Splunk Web.
#
# There is a prefs.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place a prefs.conf in $SPLUNK_HOME/etc/system/local/. For help, see
# prefs.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/doc/latest/admin/BundlesIntro.
#
# Global default preferences are specified at the top of the file
# without a stanza name.
#
# Subsequent stanzas are organized by user name, and hold user-specific settings.
# The user settings override any global preferences.

selectedKeys = <space-separated string> 
        * This value represents the default arguments to the SplunkWeb select processor.  
        * Whenever any of these keys are present in the data, they will appear in the filtering bar,
        just below the timeline, and just above the events returned by the search.   
        * If a key in the list is not present in the data, it will not appear in the filtering bar. 
        * Defaults to source host sourcetype.

skin = <string>
        * This value represents the name of the skin CSS file that should be loaded by default. 
        * Splunk ships with 'basic' and 'black' and defaults to 'basic.'
        * You are free to create your own files and activate them by placing them in the
        share/splunk/search_oxiclean/static/css/skins/ directory.
        * For instance, placing a foo.css file in the skins dir will make 'foo' appear as a third option 
        in the SplunkWeb theme pulldown, as well as make 'foo' a valid value for <string>.
        * Defaults to Basic.

dashboard_activeset = <string>
        * Represents the name of the currently loaded dashboard panel set.  
        * The value here is linked to a 'dashboardset_*' key name that exists as a prefs.conf key.  
        * For example, a value of 'foo' means that another key named 'dashboardset_foo' MUST exist.
        
dashboardset_<setname> = <JS array literal>
        * Represents a list of saved search names to load as a unit on the SplunkWeb home page.  
        * The second part of this keyname is linked to the 'dashboard_activeset' key.  
        * It is expected that there will be multiple versions of this key, i.e. 'dashboardset_default', 
        'dashboardset_admin', 'dashboardset_noc', etc.
        * The <JS array literal> is a JSON array format: ['web_errors','failed_logins','db_exceptions']
                
saved_<saved_search_name>_panelIsOpen = <true/false>
        * Indicates the panel state of a particular saved search when displayed in a dashboard set.  
        * If 'true', then the full panel is shown.  
        * If 'false', then only a summary line is shown.  
        * The <saved_search_name> is the full search string of the saved search with all non-alpha characters removed.
        
saved_<saved_search_name>_panelMode = <string>
        * Indicates the view state of a saved search when displayed in a dashboard set.  
        * The values for this correspond to the available panels than can be shown on a given search.  
        * Typical values are: 'Timeline', 'Chart', and 'Table'.  
        * The <saved_search_name> is the full search string of the saved search with all non-alpha characters removed.

showMeta = <true/false>
        * Toggle on and off:
                fields, dividers between events, timestamp at the left of the event, 
                and the colored time boundary bars between events.
        * Defaults to true.

softWrap = <true/false>
        * Toggle on and off softWrap.
        * If set to true, events softwrap at the browser window edge.
        * If set to false, events will go offscreen and trigger horizontal scrollbars.
        * Defaults to true.

showTimeline = <true/false>
        * Toggle on and off the timeline chart in search results view.
        * Please note:  reporting has its own timechart graph, and this setting is unrelated.
        * Defaults to true.

format = <Inner | Outer | Raw | Full>   
        * Set the segmentation display options.
        * Set to Inner, Outer, Raw, or Full.
        * To configure segmentation in events, use segmenters.conf.
        * Defaults to Full.

maxResults = <number>   
        * Set the number of events that the search language should load when doing processing, 
        field extraction, charting, etc.
        * Defaults to 50000.

prefs.conf.example

v# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains an example prefs.conf.  Use this file to configure display preferences in Splunk Web.
#
# To use one or more of these configurations, copy the configuration block into
# prefs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/doc/latest/admin/BundlesIntro.

# The following example sets default settings for all users of a single instance.

selectedKeys = "source host punct ip sourcetype eventtype"
format = "Inner"
skin = "Basic"
defaultTimeRange = startminutesago::60
maxResults = 50000

# The following example sets display preferences for user Admin.

[user:admin]
format = "Outer"
skin = "Basic"
showMeta = false
softWrap = true
showTimeline = false
maxResults = 50000
        

# The following example sets display preferences for user Bob.

[user:bob]
format = "Full"
skin = "Black"
showMeta = true
softWrap = true
showTimeline = true
maxResults = 5000

# Advanced custom search dashboard example using Twiki. Edit the searches and display options to 
# customize this example for your own dataset.

#This defines the modules for the Twiki dashboard. The first module is a custom _text module, 
#the 2nd, 3rd, 4th are all custom 'columns of blue links' modules. And the last one is a Flash chart.

dashboardset_twiki = TwikiIntro,Twiki saved searches,Twiki activity last 24 hours,Twiki activity 
last 7 days,Users editing in the last 24 hours,Pages edited in the last 24 hours

# The $+ is important, as we dont want to blow away the custom list, but rather append to existing ones.

dashboard_customList = Twiki activity last 7 days,Twiki activity last 24 hours,TwikiIntro,Twiki saved searches,$+

# Custom list entries have to have a _searches and a _labels entry (even if the _labels one is empty).
# If you have only one search in the _searches list, you can let it return as many as you want, and 
# it will split the rendering up into 2 and 3 columns past certain thresholds.

dashboard_customList_Twiki_saved_searches_searches = ['| admin mysavedsearches | where stanza LIKE 
"Twiki%" | rename stanza as name query as term | sort name']

dashboard_customList_Twiki_saved_searches_labels =

# If you have more than one search in _searches, you MUST limit the results to 15 by whatever
# means you choose. This is to defeat the auto-column-splitting feature referred to above, 
# which renders poorly.
# You must use _labels when there is more than one search in the _searches key. 
# They appear as subheaders above the respective results.

dashboard_customList_Twiki_activity_last_24_hours_searches = ['sourcetype="twiki" ( save OR edit ) 
starthoursago="24" | top limit=15 twikiuser | eval term="( save OR edit ) ".twikiuser | rename 
twikiuser as name | rename count as rowCount', 'sourcetype="twiki" ( attach OR upload ) 
starthoursago="24" | top limit=15 twikiuser | eval term="(attach OR upload) ".twikiuser | rename 
twikiuser as name | rename count as rowCount']

dashboard_customList_Twiki_activity_last_24_hours_labels = Edits, Uploads

dashboard_customList_Twiki_activity_last_7_days_searches = ['sourcetype::twiki edit 
startdaysago::7 | where date_hour>20 OR date_hour<5 | top limit=15 twikiuser | 
eval term="edit ".twikiuser." | where date_hour>20 OR date_hour<5" | rename twikiuser as name | 
rename count as rowCount', 'host::twiki view | where twikiuser=twikipage | top limit=15 twikiuser | 
rename twikiuser as name | rename count as rowCount | eval term="host::twiki view ".name." | 
where twikiuser=twikipage"','host::twiki *kickoff* save startdaysago::7 | top limit=15 twikipage | 
rename twikipage as name count as rowCount | eval term="host::twiki \"*kickoff*\" | where 
twikipage=\".twikipage.\""' ]

dashboard_customList_Twiki_activity_last_7_days_labels=Insomnia,Profile updates,Edited pages with 
'kickoff' in the title. (replace kickoff with anything you want to keep an eye on)

dashboard_customList_TwikiIntro_text =      With this bundle enabled, you'll get      <ul>          <li>some extracted fields like twikiuser, twikipage, twikiaction</li>          <li>some event types, like twikiViews, twikiEdits, twikiUploads</li>          <li>some field actions, some that go to the live twiki, some that launch 'show source' style viewers within Splunk </li>          <li>Some shared dashboard charts, as you see here</li>          <li>Some custom 'blue link' modules that show various useful little searches and breakdowns</li>          <li>Also there's a <a href="http://spacecake:28000/?s=Twiki%20-%20template%20for%20Twiki%20homepage%20by%20hour%20of%20day" 
         target="_top">Form Search</a> template for viewing distribution of classes of events split by hour of the day. </li>      </ul>
Previous: outputs.conf    |    Next: props.conf

Comments

No comments have been submitted.

Log in to comment.