Configure display options for SPL2 searches in the Search bar

Use the Search bar to help you read, parse, or interpret SPL2 syntax.

Search statements can be long and difficult to read. The Search bar contains features to help you read, parse, or interpret the SPL2 syntax.

The advanced editor feature, which is turned on by default, provides the following display options to help you read your searches:

  • Syntax highlighting, which displays parts of SPL in different colors. Syntax highlighting is available in 2 different color themes.

  • Line numbering, which identifies each line of your search with a number in the margin.

These display options are configured in the Preferences dialog box. Changing the options in the Preferences dialog box changes the setting only for you. It does not impact the setting for other users. See the following sections for more information:
Note: You cannot change the configuration options in the Preferences dialog box if you have a Splunk Free license. See About Splunk Free in the Splunk Enterprise Admin manual.

If you have file system access, you can change the default display options for all users on your Splunk platform deployment. For more information, see Change the default display options for all users.

Turn off syntax highlighting

Turn off syntax highlighting for searches if you have difficulty distinguishing between colors or want a simplified search bar.

Syntax highlighting can make searches easier to read by color-coding commands, arguments, functions, and keywords. The following image shows a search with syntax highlighting:

This screen image shows the Search bar with the language picker set to SPL2. The Search bar contains the following search: select count(), action, host from main where status=400 groupby action, host. Commands and their clauses such as select, from, and groupby are colored blue. The function name "count" is colored light brown. Dataset and field names such as action, host, main, and status are colored dark orange.

By default, the Search bar includes syntax highlighting. You can turn syntax highlighting colors off by turning off the advanced editor. This is useful for people who have difficulty distinguishing between different colors.

Note: When the advanced editor is turned off, the color themes and line numbering features are not available.
  1. On the Splunk bar, select your account user name, then Preferences.
    This screen image shows the Splunk bar. The user account name "Administrator" is selected. The Preferences menu choice is selected.
  2. Select Search editor.
  3. Turn off Advanced editor.
  4. Select Apply.

Change the color theme

You can change the color theme of your search bar when syntax highlighting is turned on.

When syntax highlighting is turned on, you can change the appearance of your search criteria by specifying a color theme. Choose from the following themes:
Theme nameDescription

Default system theme

Inherits the default system theme.

Light

  • White background.

  • Black text.

  • Colors for commands, arguments, functions, keyword modifiers, and Boolean operators.

Dark

  • Black background.

  • Light grey text.

  • Colors for commands, arguments, functions, keyword modifiers, and Boolean operators.

The following image shows syntax highlighting with the Light theme:

This screen image shows the Search bar with a white background, and with the language picker set to SPL2. The Search bar contains the following search: select count(), action, host from main where status=400 groupby action, host. Commands and their clauses such as select, from, and groupby are colored blue. The function name "count" is colored light brown. Dataset and field names such as action, host, main, and status are colored dark orange.

The following image shows syntax highlighting with the Dark theme:

This screen image shows the Search bar with a black background, and with the language picker set to SPL2. The Search bar contains the following search: select count(), action, host from main where status=400 groupby action, host. Commands and their clauses such as select, from, and groupby are colored blue. The function name "count" is colored light brown. Dataset and field names such as action, host, main, and status are colored dark orange.
  1. On the Splunk bar, select your user account name, then Preferences.
    This screen image shows the Splunk bar. The user account name "Administrator" is selected. The Preferences menu choice is selected.
  2. Select Search editor.
  3. Confirm that Advanced editor is turned on.
  4. In the SPL and SPL2 searches section, select the Search bar theme that you want to use.
  5. Select Apply.

Turn on line numbering

Turn on line numbering in the Search bar to make reading your searches easier.

To make reading your searches easier, you can display line numbers in the Search bar. The following image shows line numbers turned on.
This screen image shows the Search bar with the language picker set to SPL2. The search bar contains a long search that has been broken up into 5 lines. The left margin of the search bar shows a number at the start of each line.

By default, line numbering is turned off. You can turn on line numbering in the Preferences dialog box.

  1. On the Splunk bar, select your user account name, then Preferences.
    This screen image shows the Splunk bar. The user account name "Administrator" is selected. The Preferences menu choice is selected.
  2. Select Search editor.
  3. Confirm that Advanced editor is turned on.
  4. In the SPL and SPL2 searches section, turn on Line numbers.
  5. Select Apply.

Change the default display options for all users

Change default display options for all users only if you have file system access.

  • Only users with file system access, such as system administrators, can change the default display settings for all users. If you are using Splunk Cloud Platform and want to change the default display settings for your Splunk system, open a Support ticket.

  • Review the steps in How to edit a configuration file in the Admin Manual.

Note: Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.

Follow these steps to change display options in the Search bar globally for all users.

  1. Open the local user-prefs.conf file for the Search app. For example, $SPLUNK_HOME/etc/apps/search/local.
  2. Under the [general] stanza, you can change the settings listed in the following table.

    Be aware that the search_use_advanced_editor attribute must be set to true in order for the other attributes to take effect.

    Feature Attribute syntax Default setting
    Advanced editor, which includes syntax highlightingsearch_use_advanced_editor = booleantrue
    Color theme search_syntax_highlighting = light, dark, or default-system-theme default-system-theme
    Line numbering search_line_numbers = boolean false
  3. Restart the Splunk platform instance.