prefs.conf

prefs.conf

prefs.conf controls per-user settings including SplunkWeb search and result display preferences and dashboard layout.

prefs.conf.spec

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible attributes and value pairs for a prefs.conf
# file.  Use this file to configure display preferences in Splunk Web.
#
# There is a prefs.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place a prefs.conf in $SPLUNK_HOME/etc/system/local/. For help, see
# prefs.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
#
# Global default preferences are specified at the top of the file
# without a stanza name.
#
# Subsequent stanzas are organized by user name, and hold user-specific settings.
# The user settings override any global preferences.
selectedKeys = <space-separated string> 
* This value represents the default arguments to the Splunk Web select processor.  
* Whenever any of these keys are present in the data, they appear in the filtering bar, just below the timeline, and just above the events returned by the search.   
* If a key in the list is not present in the data, it will not appear in the filtering bar. 
* Defaults to source host sourcetype.
skin = <string>
* This value represents the name of the skin CSS file that should be loaded by default. 
* Splunk ships with 'basic' and 'black' and defaults to 'basic.'
* You are free to create your own files and activate them by placing them in the share/splunk/search_oxiclean/static/css/skins/ directory.
* For instance, placing a foo.css file in the skins dir will make 'foo' appear as a third option in the Splunk Web theme pulldown, as well as make 'foo' a valid value for <string>.
* Defaults to Basic.
dashboard_activeset = <string>
* Represents the name of the currently loaded dashboard panel set.  
* The value here is linked to a 'dashboardset_*' key name that exists as a prefs.conf key.  
* For example, a value of 'foo' means that another key named 'dashboardset_foo' MUST exist.
	
dashboardset_<setname> = <JS array literal>
* Represents a list of saved search names to load as a unit on the Splunk Web home page.  
* The second part of this keyname is linked to the 'dashboard_activeset' key.  
* It is expected that there will be multiple versions of this key, i.e. 'dashboardset_default', 'dashboardset_admin', 'dashboardset_noc', etc.
* The <JS array literal> is a JSON array format: ['web_errors','failed_logins','db_exceptions']
* Set to SPLUNK-DELETED-DASHBOARD to hide the dashboard and remove from the dashboard dropdown in Splunk Web.
dashboard_customList = <comma separated list of custom list modules>
* Define custom list modules in dashboard_customlist_NAME_OF_CUSTOM_LIST_MODULE.
dashboard_customlist_NAME_OF_CUSTOM_LIST_MODULE_searches = <any valid search>
* Set a search to appear in your dashboard.
* Note: You must also use the*_labels attribute (below).
dashboard_customlist_NAME_OF_CUSTOM_LIST_MODULE_labels = <label your searches>
* Add a label to your searches.
* Note: You must use this attribute if you are using*_searches, even if you don't want to label your searches. Leave it blank.
dashboard_customlist_NAME_OF_CUSTOM_LIST_MODULE_text = <html>
* Any valid html.
* Use the *_text attribute instead of *_searches and *_labels.
* Each line must end with a \ to mark a newline.
		
saved_<saved_search_name>_panelIsOpen = true | false
* Indicates the panel state of a particular saved search when displayed in a dashboard set.  
* If 'true', then the full panel is shown.  
* If 'false', then only a summary line is shown.  
* The <saved_search_name> is the full search string of the saved search with all non-alpha characters removed.
	
saved_<saved_search_name>_panelMode = <string>
* Indicates the view state of a saved search when displayed in a dashboard set.  
* The values for this correspond to the available panels than can be shown on a given search.  
* Typical values are: 'Timeline', 'Chart', and 'Table'.  
* The <saved_search_name> is the full search string of the saved search with all non-alpha characters removed.
showMeta = true | false
* Toggle the following on and off:
 * fields
 * dividers between events
 * timestamp at the left of the event
 * the colored time boundary bars between events
* Defaults to true.
softWrap = true | false
* Toggle on and off softWrap.
* If set to true, events softwrap at the browser window edge.
* If set to false, events will go offscreen and trigger horizontal scrollbars.
* Defaults to true.
showTimeline = true | false
* Toggle on and off the timeline chart in search results view.
* Please note:  reporting has its own timechart graph, and this setting is unrelated.
* Defaults to true.
format = Inner | Outer | Raw | Full
* Set the segmentation display options.
* Set to Inner, Outer, Raw, or Full.
* To configure segmentation in events, use segmenters.conf.
* Defaults to Full.
maxResults = <integer>   
* Set the number of events that the search language should load when doing processing, field extraction, charting, etc.
* NOTE: This setting is different from maxresults in savedsearches.conf.
* Defaults to 50000.

prefs.conf.example

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains an example prefs.conf.  Use this file to configure display preferences in Splunk Web.
#
# To use one or more of these configurations, copy the configuration block into
# prefs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
# The following example sets default settings for all users of a single instance.
selectedKeys = "source host punct ip sourcetype eventtype"
format = "Inner"
skin = "Basic"
defaultTimeRange = startminutesago::60
maxResults = 50000
# The following example sets display preferences for user Admin.
[user:admin]
format = "Outer"
skin = "Basic"
showMeta = false
softWrap = true
showTimeline = false
maxResults = 50000
	
# The following example sets display preferences for user Bob.
[user:bob]
format = "Full"
skin = "Black"
showMeta = true
softWrap = true
showTimeline = true
maxResults = 5000
# Mask all dashboards
# The following example masks all the default dashboards in ../default/prefs.conf.
# Splunk starts with a blank dashboard that each user can customize.
dashboardset_getting_started = SPLUNK-DELETED-DASHBOARD
dashboardset_admin = SPLUNK-DELETED-DASHBOARD
dashboardset_main = SPLUNK-DELETED-DASHBOARD
dashboard_activeset = test
dashboardset_test = null
dashboard_intro_getting_started = 
# ADVANCED EXAMPLE
# Advanced custom search dashboard example using Twiki. Edit the searches and display options to 
# customize this example for your own dataset.
#This defines the modules for the Twiki dashboard. The first module is a custom _text module, 
#the 2nd, 3rd, 4th are all custom 'columns of blue links' modules. And the last one is a Flash chart.
dashboardset_twiki = TwikiIntro,Twiki saved searches,Twiki activity last 24 hours,Twiki activity 
last 7 days,Users editing in the last 24 hours,Pages edited in the last 24 hours
# The $+ is important, as we dont want to blow away the custom list, but rather append to existing ones.
dashboard_customList = Twiki activity last 7 days,Twiki activity last 24 hours,TwikiIntro,Twiki saved searches,$+
# Custom list entries have to have a _searches and a _labels entry (even if the _labels one is empty).
# If you have only one search in the _searches list, you can let it return as many as you want, and 
# it will split the rendering up into 2 and 3 columns past certain thresholds.
dashboard_customList_Twiki_saved_searches_searches = ['| admin mysavedsearches | where stanza LIKE 
"Twiki%" | rename stanza as name query as term | sort name']
dashboard_customList_Twiki_saved_searches_labels =
# If you have more than one search in _searches, you MUST limit the results to 15 by whatever
# means you choose. This is to defeat the auto-column-splitting feature referred to above, 
# which renders poorly.
# You must use _labels when there is more than one search in the _searches key. 
# They appear as subheaders above the respective results.
dashboard_customList_Twiki_activity_last_24_hours_searches = ['sourcetype="twiki" ( save OR edit ) 
starthoursago="24" | top limit=15 twikiuser | eval term="( save OR edit ) ".twikiuser | rename 
twikiuser as name | rename count as rowCount', 'sourcetype="twiki" ( attach OR upload ) 
starthoursago="24" | top limit=15 twikiuser | eval term="(attach OR upload) ".twikiuser | rename 
twikiuser as name | rename count as rowCount']
dashboard_customList_Twiki_activity_last_24_hours_labels = Edits, Uploads
dashboard_customList_Twiki_activity_last_7_days_searches = ['sourcetype::twiki edit 
startdaysago::7 | where date_hour>20 OR date_hour<5 | top limit=15 twikiuser | 
eval term="edit ".twikiuser." | where date_hour>20 OR date_hour<5" | rename twikiuser as name | 
rename count as rowCount', 'host::twiki view | where twikiuser=twikipage | top limit=15 twikiuser | 
rename twikiuser as name | rename count as rowCount | eval term="host::twiki view ".name." | 
where twikiuser=twikipage"','host::twiki *kickoff* save startdaysago::7 | top limit=15 twikipage | 
rename twikipage as name count as rowCount | eval term="host::twiki \"*kickoff*\" | where 
twikipage=\".twikipage.\""' ]
dashboard_customList_Twiki_activity_last_7_days_labels=Insomnia,Profile updates,Edited pages with 
'kickoff' in the title. (replace kickoff with anything you want to keep an eye on)
dashboard_customList_TwikiIntro_text = \
     With this application enabled, you'll get \
     <ul> \
         <li>some extracted fields like twikiuser, twikipage, twikiaction</li> \
         <li>some event types, like twikiViews, twikiEdits, twikiUploads</li> \
         <li>some field actions, some that go to the live twiki, some that launch 'show source' style viewers within Splunk </li> \
         <li>Some shared dashboard charts, as you see here</li> \
         <li>Some custom 'blue link' modules that show various useful little searches and breakdowns</li> \
         <li>Also there's a <a href="http://spacecake:28000/?s=Twiki%20-%20template%20for%20Twiki%20homepage%20by%20hour%20of%20day" 
         target="_top">Form Search</a> template for viewing distribution of classes of events split by hour of the day. </li> \
     </ul>

• Was this topic useful?
• Post a comment