prefs.conf

prefs.conf

Prefs.conf controls per-user settings including SplunkWeb search and result display preferences and dashboard layout.

To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/prefs.conf.

You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/prefs.conf.example.

Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.

prefs.conf.spec

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible options for a "prefs.conf" file.
#
# The prefs.conf file contains user preferences for SplunkWeb components, based on user
# name.  Global default preferences are specified at the top of the file
# without a stanza declaration (?).
#
# Subsequent stanzas are organized by user name, and hold user-specific settings.
# The user settings override any global preferences.
# 
# If the same user:admin is found in two bundle directories, the following 
# precedence rules apply. Attributes in the "local" bundle are read first and
# attributes in the "default" bundle are read last. Attributes in the
# other bundles are loaded in alphabetical order of bundle name.
# 
# Overriding is performed attribute by attribute, so if a specific
# attribute is not specified in "local", but in another bundle,
# it will be taken from that other bundle.
# Sample prefs.conf:
# BEGIN ------------------------------------------------------------------------
selectedKeys = "source host sourcetype ip punct"
setSkin = Basic
[user:admin]    
selectedKeys = "source host sourcetype ip punct userid queueid from to email username"
localValue2 = lval2
# END --------------------------------------------------------------------------
#
# Key definitions
#
selectedKeys = <space-separated string> 
  * This value represents the default arguments to the SplunkWeb select
	processor.  Whenever any of these keys are present in the data, they will 
	appear in the filtering bar, just below the timeline, and just above the 
	events returned by the search.   If a key in the list is not present in the 
	data, it will not appear in the filtering bar. 
skin = <string> 
  * this value represents the name of the skin css file that should be loaded by
	default. Splunk ships with 'basic' and 'black', and defaults to 'basic', but
	users are free to create their own files, for instance placing a foo.css file 
	in the share/splunk/search_oxiclean/static/css/skins directory, will make 
	'foo' appear as a third option in the SplunkWeb'theme' pulldown, as well as 
	make 'foo' a valid value here. 
dashboard_activeset = <string>
  * Represents the name of the currently loaded dashboard panel set.  The value
	here is linked to a 'dashboardset_*' key name that exists as a prefs.conf
	key.  For example, a value of 'mydashboard' means that another key of
	'dashboardset_mydashboard' MUST exist.
	
dashboardset_<setname> = <JS array literal>
  * Represents a list of saved search names to load as a unit on the SplunkWeb home
	page.  The second part of this keyname is linked to the 'dashboard_activeset'
	key.  It is expected that there will be multiple versions of this key, i.e.
	'dashboardset_default', 'dashboardset_admin', 'dashboardset_noc', etc.
	The value format is a JSON array format:
		['web_errors','failed_logins','db_exceptions']
		
lastReportClause = <string>
  * Holds the last executed 'report' clause entered in the SplunkWeb.  This is the 
	default	reporting action that is run when a user switches result views 
	between 'results', 'raw', 'report'.  Ex: 'report top _ip'
	
startpage = <string>
  * Indicates the starting page to be displayed in the SplunkWeb upon loading the
	Splunk Server home page.  Values are:
		-- '_default': loads the currently selected dashboard
		-- 'first': loads the 'first-time run' welcome page
		-- 'second': loads the 'second-time run' welcome page
		
saved_<saved_search_name>_panelIsOpen = <boolean>
  * Indicates the panel state of a particular saved search when displayed in a
	dashboard set.  If 'true', then the full panel is shown.  If 'false', then
	only a summary line is shown.  The <saved_search_name> is the full search
	string of the saved search with all non-alpha characters removed.
	
saved_<saved_search_name>_panelMode = <string>
   * Indicates the view state of a saved search when displayed in a dashboard
	set.  The values for this correspond to the available panels than can be
	shown on a given search.  Typical values are: 'Timeline', 'Chart', and
	'Table'.  The <saved_search_name> is the full search string of the saved 
	search with all non-alpha characters removed.
showMeta = <true/false>
   * Indicates whether the user wants to see fields, dividers between events, 
    timestamp at the left of the event,  and the colored time boundary bars 
	between events
softWrap = <true/false>
   * Whether the user wants events to softWrap at the window edge, or wants 
    them to go offscreen and trigger horizontal scrollbars. 
showTimeline = <true/false>
   * Whether the user wants the timeline chart to show in search results view.
    (Note that reporting has it's own timechart graph, and this setting is 
	unrelated
enableExtractedFields = <true/false>
	* Whether the user wants to group and summarize their data by fields 
	 extracted at search time. 
	 NOTE: searches will not be as fast when this preference is on.
format = <string>   
   * sets the segmentation with which the events should be displayed. 
     set to any of Inner,Outer,Raw,Full. 
maxResults = <number>   
   * sets the number of events that the search language should load when doing
     processing, field extraction, charting etc..

• Was this topic useful?
• Post a comment