Documentation > Splunk > Admin Manual > prefs.conf

Admin Manual

 


Getting Started
How Splunk Works
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Granular Access Control
Data Distribution
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

prefs.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

prefs.conf

prefs.conf controls per-user settings including SplunkWeb search and result display preferences and dashboard layout.

prefs.conf.spec 

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
# This file contains possible attributes and values for configuring preferences in prefs.conf.
#
# There is a prefs.conf in $SPLUNK_HOME/etc/bundles/default/.  To set custom configurations, 
# place an prefs.conf in $SPLUNK_HOME/etc/bundles/local/ or your own custom bundle directory.
# The prefs.conf file contains user preferences for SplunkWeb components, based on user
# name.  Global default preferences are specified at the top of the file
# without a stanza declaration.
#
# Subsequent stanzas are organized by user name, and hold user-specific settings.
# The user settings override any global preferences.
# 
# If the same user is found in two bundle directories, the following 
# precedence rules apply:
# Attributes in the "local" bundle are read first.
# Attributes in the "default" bundle are read last. 
# Attributes in the other bundles are loaded in alphabetical order of bundle name.
# 
# Overriding is performed attribute by attribute, so if a specific
# attribute is not specified in "local", but in another bundle,
# it will be taken from that other bundle.
# Sample prefs.conf:
# BEGIN ------------------------------------------------------------------------
selectedKeys = "source host sourcetype ip punct"
setSkin = Basic
[user:admin]    
selectedKeys = "source host sourcetype ip punct userid queueid from to email username"
localValue2 = lval2
# END --------------------------------------------------------------------------
#
# Key definitions
#
selectedKeys = <space-separated string> 
        * This value represents the default arguments to the SplunkWeb select processor.  
        * Whenever any of these keys are present in the data, they will appear in the filtering bar,
        just below the timeline, and just above the events returned by the search.   
        * If a key in the list is not present in the data, it will not appear in the filtering bar. 
skin = <string>
        * This value represents the name of the skin CSS file that should be loaded by default. 
        * Splunk ships with 'basic' and 'black' and defaults to 'basic.'
        * You are free to create your own files and activate them by placing them in the
        share/splunk/search_oxiclean/static/css/skins/ directory.
        * For instance, placing a foo.css file in the skins dir will make 'foo' appear as a third option 
        in the SplunkWeb theme pulldown, as well as make 'foo' a valid value for <string>. 
dashboard_activeset = <string>
        * Represents the name of the currently loaded dashboard panel set.  
        * The value here is linked to a 'dashboardset_*' key name that exists as a prefs.conf key.  
        * For example, a value of 'foo' means that another key named 'dashboardset_foo' MUST exist.
        
dashboardset_<setname> = <JS array literal>
        * Represents a list of saved search names to load as a unit on the SplunkWeb home page.  
        * The second part of this keyname is linked to the 'dashboard_activeset' key.  
        * It is expected that there will be multiple versions of this key, i.e. 'dashboardset_default', 
        'dashboardset_admin', 'dashboardset_noc', etc.
        * The <JS array literal> is a JSON array format: ['web_errors','failed_logins','db_exceptions']
                
lastReportClause = <string>
        * Holds the last executed 'report' clause entered in SplunkWeb.  
        * This is the default reporting action that is run when a user switches result views 
        between 'results', 'raw', 'report'.  
        * Ex: 'report top _ip'
        
startpage = <string>
        * Indicates the starting page to be displayed in SplunkWeb upon loading the Splunk Server home page.  
        * Values are:
                -- '_default': loads the currently selected dashboard.
                -- 'first': loads the 'first-time run' welcome page.
                -- 'second': loads the 'second-time run' welcome page.
                
saved_<saved_search_name>_panelIsOpen = <true/false>
        * Indicates the panel state of a particular saved search when displayed in a dashboard set.  
        * If 'true', then the full panel is shown.  
        * If 'false', then only a summary line is shown.  
        * The <saved_search_name> is the full search string of the saved search with all non-alpha characters removed.
        
saved_<saved_search_name>_panelMode = <string>
        * Indicates the view state of a saved search when displayed in a dashboard set.  
        * The values for this correspond to the available panels than can be shown on a given search.  
        * Typical values are: 'Timeline', 'Chart', and 'Table'.  
        * The <saved_search_name> is the full search string of the saved search with all non-alpha characters removed.
showMeta = <true/false>
        * Toggle on and off:
                fields, dividers between events, timestamp at the left of the event, 
                and the colored time boundary bars between events.
softWrap = <true/false>
        * Toggle on and off softWrap.
        * If set to true, events softwrap at the browser window edge.
        * If set to false, events will go offscreen and trigger horizontal scrollbars.
showTimeline = <true/false>
        * Toggle on and off the timeline chart in search results view.
        * Please note:  reporting has its own timechart graph, and this setting is unrelated.
enableExtractedFields = <true/false>
        * Toggle whether to group and summarize data by fields extracted at search time. 
        * Please note: searches will not be as fast when this preference is on.
format = <string>   
        * Set the segmentation display options.
        * Set to Inner, Outer, Raw, or Full.
        * To configure segmentation in events, use segmenters.conf.
maxResults = <number>   
        * Set the number of events that the search language should load when doing processing, 
        field extraction, charting, etc.

prefs.conf.example 

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains example preferences.
# To use one or more of these configurations, copy the configuration block into
# prefs.conf in $SPLUNK_HOME/etc/bundles/local/ (or your own custom bundle).
dashboardset_admin = ["errors"]
dashboardset_default = ["errors"]
dashboard_activeset = "default"
startpage = "_default"
selectedKeys = "source host punct ip sourcetype eventtype"
format = "Inner"
skin = "Basic"
defaultTimeRange = startminutesago::60
maxResults = 50000
[user:admin]
format = "Outer"
skin = "Basic"
showMeta = false
softWrap = true
showTimeline = false
maxResults = 50000
enableExtractedFields = true
        
[user:bob]
format = "Full"
skin = "Black"
showMeta = true
softWrap = true
showTimeline = true
maxResults = 5000
enableExtractedFields = false
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.1.4/Admin/Prefsconf"

This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!