Splunk® Enterprise

Admin Manual

Download manual as PDF

Download topic as PDF

Customize Splunk Web messages

You can modify notifications that display in Splunk Web in one of two ways:

  • You can add and edit the text of custom notifications that display in the Messages menu.
  • You can set the audience for certain error or warning messages generated by Splunk Enterprise.

Add or edit a custom notification

You can add a custom message to Splunk Web, for example to notify your users of scheduled maintenance. You need admin or system user level privileges to add or edit a custom notification.

To add or change a custom notification:

  1. Select Settings > User Interface.
  2. Click New to create a new message, or click Bulletin Messages and select the message you want to edit.
  3. Give your new message a name and message text, or edit the existing text.
  4. Click Save. The message will now appear when the user accesses Messages in the menu.

Set audience for a Splunk Enterprise message

For some messages that appear in Splunk Web, you can control which users see the message.

If by default a message displays only for users with a particular capability, such as admin_all_objects, you can display the message to more of your users, without granting them the admin_all_objects capability. Or you can have fewer users see a message.

The message you configure must exist in messages.conf. You can set the audience for a message by role or by capability, by modifying settings in messages.conf.

Identify a message available for audience scoping

The message you restrict must exist in messages.conf. Not all messages reside in messages.conf, but as a first indicator, if the message contains a Learn more link, it definitely resides in messages.conf and is configurable. If it does not contain a Learn more link, it might or might not reside in messages.conf.

For example, the message in the following image contains a Learn more link: UI message learnmore.png

Once you have chosen a message you want to configure, check whether it is configurable. Search for parts of the message string in $SPLUNK_HOME/etc/system/default/messages.conf on *nix or %SPLUNK_HOME%\etc\system\default\messages.conf on Windows. The message string is a setting within a stanza. The stanza name is a message identifier. Make note of the stanza name.

For example, searching the default messages.conf for text in the above screenshot, like "artifacts in the dispatch directory" or even just "artifacts," leads you to the following stanza:

message      = The number of search artifacts in the dispatch directory is higher than recommended (count=%lu, warning threshold=%lu) and could have an impact on search performance.
action       = Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size.
severity     = warn
capabilities = admin_all_objects
help         = message.dispatch.artifacts 

The stanza name for this message is DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU.

About editing messages.conf

A best practice for modifying messages.conf is to use a custom app. Deploy the app containing the message modifications to every instance in your deployment. Never edit configuration files in default.

See How to edit a configuration file.

Scope a message by capability

Set the capability or capabilities required to view a message using the capabilities attribute in the messages.conf stanza for the message. A user must have all the listed capabilities to view the message.

For example,

capabilities = admin_all_objects, can_delete

For a list of capabilities and their definitions, see About defining roles with capabilities in Securing Splunk Enterprise.

If a role is set for the message, that takes precedence over the capabilities attribute, and the capabilities attribute is ignored.

See messages.conf.spec.

Scope a message by role

Set the role or roles required to view a message using the roles attribute in the messages.conf stanza for the message. If a user belongs to any of these roles, the message will be visible to them.

If a role scope is specified with this attribute, it takes precedence over the capabilities attribute, which is ignored for the message.

For example:

roles = admin

See About configuring role-based user access in Securing Splunk Enterprise.

Splunk Enterprise default dashboards
About configuration files

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters