decorations.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
decorations.conf
Use this file to configure event decorations in Splunk Web.
decorations.conf.spec
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0
#
# This file contains possible attributes and values you can use to configure decorating audit events
# in decorations.conf.
#
# NOTE: You can only decorate audit events with this file. To configure decorations for
# other events, please see prefs.conf.spec.
#
# There is a decorations.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations,
# place a decorations.conf in $SPLUNK_HOME/etc/system/local/. For examples, see
# decorations.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
[audittrail]
* This stanza turns on decorations.
* Follow this stanza name with any number of the following attribute/value pairs.
* Each attribute maps to any tag in 'prefs.conf' that starts with the word 'decoration_'.
valid = decoration_$PREFSTAGv
* Maps to the decoration tag for an audit event that is in sequence and has not been tampered with.
* $PREFSTAGv is the name of the tag configured for valid events in prefs.conf.
gap = decoration_$PREFSTAGg
* Maps to the decoration tag for an audit event that has an event before it that is out of
sequence or missing.
* $PREFSTAGg is the name of the tag configured for gap events in prefs.conf.
tampered = decoration_$PREFSTAGt
* Maps to the decoration tag for an audit event that has been changed such that the
cryptographic signature does not match.
* $PREFSTAGt is the name of the tag configured for tampered events in prefs.conf.
cantValidate = decoration_$PREFSTAGc
* Maps to events where no signature exists, or the signature is corrupt and cannot be decrypted,
so it cannot be validated.
* $PREFSTAGc is the name of the tag configured for cantValidate events in prefs.conf.
decorations.conf.example
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0 # # This is an example decorations.conf. Use this file to configure audit event decorations. # NOTE: You can only decorate audit events with this file. To configure decorations for # other events, please see prefs.conf.spec. # # To use one or more of these configurations, copy the configuration block into decorations.conf # in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork. # The left side must be these values. # The right side maps to decorations in prefs.conf. [audittrail] valid = decoration_my_valid gap = decoration_my_gap tampered = decoration_my_tampered cantValidate = decoration_my_cantvalidate
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.