Documentation > Splunk > Admin Manual > decorations.conf

Admin Manual

 


How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

decorations.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

decorations.conf

Use this file to configure event decorations in Splunk Web.


decorations.conf.spec 

# This file contains possible attributes and values you can use to configure decorating audit events
# in decorations.conf.  NOTE: You can only decorate audit events with this file.  To configure 
# decorations for other events, please see prefs.conf.spec.
#
# There is a decorations.conf in $SPLUNK_HOME/etc/bundles/default. To set custom configurations, 
# place a decorations.conf in your own custom bundle directory.  For examples, see 
# decorations.conf.example.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
[audittrail]
	* This stanza turns on decorations.
 	* Follow this stanza name with any number of the following attribute/value pairs.
 	* Each attribute maps to any tag in 'prefs.conf' that starts with the word 'decoration_'.
valid = decoration_$PREFSTAGv
	* Maps to the decoration tag for an audit event that is in sequence and has not been tampered with.
	* $PREFSTAGv is the name of the tag configured for valid events in prefs.conf.
	
gap = decoration_$PREFSTAGg
	* Maps to the decoration tag for an audit event that has an event before it that is out of 
		sequence or missing.
	* $PREFSTAGg is the name of the tag configured for gap events in prefs.conf.
	
tampered = decoration_$PREFSTAGt
	* Maps to the decoration tag for an audit event that has been changed such that the 
		cryptographic signature does not match.
	* $PREFSTAGt is the name of the tag configured for tampered events in prefs.conf.
cantValidate = decoration_$PREFSTAGc
	* Maps to events where no signature exists, or the signature is corrupt and cannot be decrypted, 
		so it cannot be validated.
	* $PREFSTAGc is the name of the tag configured for cantValidate events in prefs.conf.

decorations.conf.example 

# This is an example decorations.conf.  Use this file to configure audit event decorations.
#
# There is a default decorations.conf in $SPLUNK_HOME/etc/bundles/default/. Use this example file to 
# create your own custom decorations.conf (to override the default settings).
#
# To set custom configurations, place a decorations.conf in your own custom bundle directory.
#The left side must be these values.
#The right side maps to decorations in the prefs.conf file
[audittrail]
valid = decoration_my_valid
gap = decoration_my_gap
tampered = decoration_my_tampered
cantValidate = decoration_my_cantvalidate
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.5/Admin/Decorationsconf"

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!