prefs.conf

prefs.conf

prefs.conf controls per-user settings including SplunkWeb search and result display preferences and dashboard layout.

prefs.conf.spec

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible attributes and value pairs for a prefs.conf
# file.  Use this file to configure display preferences in SplunkWeb.
#
# There is a prefs.conf in $SPLUNK_HOME/etc/bundles/default/.  To set custom configurations, 
# place a prefs.conf in your own custom bundle directory.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
#
# Global default preferences are specified at the top of the file
# without a stanza name.
#
# Subsequent stanzas are organized by user name, and hold user-specific settings.
# The user settings override any global preferences.
# 
# For help, see $SPLUNK_HOME/etc/bundles/README/prefs.conf.example.
selectedKeys = <space-separated string> 
  	* This value represents the default arguments to the SplunkWeb select processor.  
	* Whenever any of these keys are present in the data, they will appear in the filtering bar,
	just below the timeline, and just above the events returned by the search.   
	* If a key in the list is not present in the data, it will not appear in the filtering bar. 
skin = <string>
  	* This value represents the name of the skin CSS file that should be loaded by default. 
  	* Splunk ships with 'basic' and 'black' and defaults to 'basic.'
  	* You are free to create your own files and activate them by placing them in the
  	share/splunk/search_oxiclean/static/css/skins/ directory.
   	* For instance, placing a foo.css file in the skins dir will make 'foo' appear as a third option 
   	in the SplunkWeb theme pulldown, as well as make 'foo' a valid value for <string>. 
dashboard_activeset = <string>
   	* Represents the name of the currently loaded dashboard panel set.  
   	* The value here is linked to a 'dashboardset_*' key name that exists as a prefs.conf key.  
   	* For example, a value of 'foo' means that another key named 'dashboardset_foo' MUST exist.
	
dashboardset_<setname> = <JS array literal>
   	* Represents a list of saved search names to load as a unit on the SplunkWeb home page.  
   	* The second part of this keyname is linked to the 'dashboard_activeset' key.  
   	* It is expected that there will be multiple versions of this key, i.e. 'dashboardset_default', 
   	'dashboardset_admin', 'dashboardset_noc', etc.
	* The <JS array literal> is a JSON array format: ['web_errors','failed_logins','db_exceptions']
		
lastReportClause = <string>
  	* Holds the last executed 'report' clause entered in SplunkWeb.  
  	* This is the default reporting action that is run when a user switches result views 
	between 'results', 'raw', 'report'.  
	* Example: 'report top _ip'.
	
startpage = <string>
	* Indicates the starting page to be displayed in SplunkWeb upon loading the Splunk Server home page.  
  	* Values are:
		- '_default': loads the currently selected dashboard.
		- 'first': loads the 'first-time run' welcome page.
		- 'second': loads the 'second-time run' welcome page.
		
saved_<saved_search_name>_panelIsOpen = <true/false>
	* Indicates the panel state of a particular saved search when displayed in a dashboard set.  
 	* If 'true', then the full panel is shown.  
 	* If 'false', then only a summary line is shown.  
 	* The <saved_search_name> is the full search string of the saved search with all non-alpha characters removed.
	
saved_<saved_search_name>_panelMode = <string>
   	* Indicates the view state of a saved search when displayed in a dashboard set.  
	* The values for this correspond to the available panels than can be shown on a given search.  
   	* Typical values are: 'Timeline', 'Chart', and 'Table'.  
   	* The <saved_search_name> is the full search string of the saved search with all non-alpha characters removed.
showMeta = <true/false>
  	* Toggle on and off:
   		fields, dividers between events, timestamp at the left of the event, 
   		and the colored time boundary bars between events.
softWrap = <true/false>
   	* Toggle on and off softWrap.
   	* If set to true, events softwrap at the browser window edge.
   	* If set to false, events will go offscreen and trigger horizontal scrollbars.
showTimeline = <true/false>
  	* Toggle on and off the timeline chart in search results view.
   	* Please note:  reporting has its own timechart graph, and this setting is unrelated.
enableExtractedFields = <true/false>
	* Toggle whether to group and summarize data by fields extracted at search time. 
	* Please note: searches will not be as fast when this preference is on.
format = <string>   
   	* Set the segmentation display options.
   	* Set to Inner, Outer, Raw, or Full.
   	* To configure segmentation in events, use segmenters.conf.
maxResults = <number>   
   	* Set the number of events that the search language should load when doing processing, 
   	field extraction, charting, etc.

prefs.conf.example

# This file contains example preferences.
# To use one or more of these configurations, copy the configuration block into
# prefs.conf in $SPLUNK_HOME/etc/bundles/local/ (or your own custom bundle).
dashboardset_admin = ["errors"]
dashboardset_default = ["errors"]
dashboard_activeset = "default"
startpage = "_default"
selectedKeys = "source host punct ip sourcetype eventtype"
format = "Inner"
skin = "Basic"
defaultTimeRange = startminutesago::60
maxResults = 50000
[user:admin]
format = "Outer"
skin = "Basic"
showMeta = false
softWrap = true
showTimeline = false
maxResults = 50000
enableExtractedFields = true
        
[user:bob]
format = "Full"
skin = "Black"
showMeta = true
softWrap = true
showTimeline = true
maxResults = 5000
enableExtractedFields = false

prefs.conf.example

# This file contains an example prefs.conf.  Use this file to configure display prefs in SplunkWeb.
#
# To use one or more of these configurations, copy the configuration block into
# prefs.conf in your own custom bundle.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
# The following example sets default settings for all users of a single instance.
selectedKeys = "source host punct ip sourcetype eventtype"
format = "Inner"
skin = "Basic"
defaultTimeRange = startminutesago::60
maxResults = 50000
# The following example sets display preferences for user Admin.
[user:admin]
format = "Outer"
skin = "Basic"
showMeta = false
softWrap = true
showTimeline = false
maxResults = 50000
enableExtractedFields = true
	
# The following example sets display preferences for user Bob.
[user:bob]
format = "Full"
skin = "Black"
showMeta = true
softWrap = true
showTimeline = true
maxResults = 5000
enableExtractedFields = false
# Advanced custom search dashboard example using Twiki. Edit the searches and display options to 
# customize this example for your own dataset.
#This defines the modules for the Twiki dashboard. The first module is a custom _text module, 
#the 2nd, 3rd, 4th are all custom 'columns of blue links' modules. And the last one is a Flash chart.
dashboardset_twiki = TwikiIntro,Twiki saved searches,Twiki activity last 24 hours,Twiki activity 
last 7 days,Users editing in the last 24 hours,Pages edited in the last 24 hours
# The $+ is important, as we dont want to blow away the custom list, but rather append to existing ones.
dashboard_customList = Twiki activity last 7 days,Twiki activity last 24 hours,TwikiIntro,Twiki saved searches,$+
# Custom list entries have to have a _searches and a _labels entry (even if the _labels one is empty).
# If you have only one search in the _searches list, you can let it return as many as you want, and 
# it will split the rendering up into 2 and 3 columns past certain thresholds.
dashboard_customList_Twiki_saved_searches_searches = ['| admin mysavedsearches | where stanza LIKE 
"Twiki%" | rename stanza as name query as term | sort name']
dashboard_customList_Twiki_saved_searches_labels =
# If you have more than one search in _searches, you MUST limit the results to 15 by whatever
# means you choose. This is to defeat the auto-column-splitting feature referred to above, 
# which renders poorly.
# You must use _labels when there is more than one search in the _searches key. 
# They appear as subheaders above the respective results.
dashboard_customList_Twiki_activity_last_24_hours_searches = ['sourcetype="twiki" ( save OR edit ) 
starthoursago="24" | top limit=15 twikiuser | eval term="( save OR edit ) ".twikiuser | rename 
twikiuser as name | rename count as rowCount', 'sourcetype="twiki" ( attach OR upload ) 
starthoursago="24" | top limit=15 twikiuser | eval term="(attach OR upload) ".twikiuser | rename 
twikiuser as name | rename count as rowCount']
dashboard_customList_Twiki_activity_last_24_hours_labels = Edits, Uploads
dashboard_customList_Twiki_activity_last_7_days_searches = ['sourcetype::twiki edit 
startdaysago::7 | where date_hour>20 OR date_hour<5 | top limit=15 twikiuser | 
eval term="edit ".twikiuser." | where date_hour>20 OR date_hour<5" | rename twikiuser as name | 
rename count as rowCount', 'host::twiki view | where twikiuser=twikipage | top limit=15 twikiuser | 
rename twikiuser as name | rename count as rowCount | eval term="host::twiki view ".name." | 
where twikiuser=twikipage"','host::twiki *kickoff* save startdaysago::7 | top limit=15 twikipage | 
rename twikipage as name count as rowCount | eval term="host::twiki \"*kickoff*\" | where 
twikipage=\".twikipage.\""' ]
dashboard_customList_Twiki_activity_last_7_days_labels=Insomnia,Profile updates,Edited pages with 
'kickoff' in the title. (replace kickoff with anything you want to keep an eye on)
dashboard_customList_TwikiIntro_text = \
     With this bundle enabled, you'll get \
     <ul> \
         <li>some extracted fields like twikiuser, twikipage, twikiaction</li> \
         <li>some event types, like twikiViews, twikiEdits, twikiUploads</li> \
         <li>some field actions, some that go to the live twiki, some that launch 'show source' style viewers within Splunk </li> \
         <li>Some shared dashboard charts, as you see here</li> \
         <li>Some custom 'blue link' modules that show various useful little searches and breakdowns</li> \
         <li>Also there's a <a href="http://spacecake:28000/?s=Twiki%20-%20template%20for%20Twiki%20homepage%20by%20hour%20of%20day" 
         target="_top">Form Search</a> template for viewing distribution of classes of events split by hour of the day. </li> \
     </ul>

• Was this topic useful?
• Post a comment