Customize Splunk Web messages
You can modify notifications that display in Splunk Web in one of two ways:
- You can add and edit the text of custom notifications that display in the Messages menu.
- You can set the audience for certain error or warning messages generated by Splunk Enterprise.
Add or edit a custom notification
You can add a custom message to Splunk Web, for example to notify your users of scheduled maintenance. You need admin or system user level privileges to add or edit a custom notification.
To add or change a custom notification:
- Select Settings > User Interface.
- Click New to create a new message, or click Bulletin Messages and select the message you want to edit.
- Give your new message a name and message text, or edit the existing text.
- Click Save. The message will now appear when the user accesses Messages in the menu.
Set audience for a Splunk Enterprise message
For some messages that appear in Splunk Web, you can control which users see the message.
If by default a message displays only for users with a particular capability, such as
admin_all_objects, you can display the message to more of your users, without granting them the
admin_all_objects capability. Or you can have fewer users see a message.
The message you configure must exist in
messages.conf. You can set the audience for a message by role or by capability, by modifying settings in
Identify a message available for audience scoping
The message you restrict must exist in messages.conf. Not all messages reside in messages.conf, but as a first indicator, if the message contains a Learn more link, it definitely resides in messages.conf and is configurable. If it does not contain a Learn more link, it might or might not reside in messages.conf.
Once you have chosen a message you want to configure, check whether it is configurable. Search for parts of the message string in
$SPLUNK_HOME/etc/system/default/messages.conf on *nix or
%SPLUNK_HOME%\etc\system\default\messages.conf on Windows. The message string is a setting within a stanza. The stanza name is a message identifier. Make note of the stanza name.
For example, searching the default messages.conf for text in the above screenshot, like "artifacts in the dispatch directory" or even just "artifacts," leads you to the following stanza:
[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU] message = The number of search artifacts in the dispatch directory is higher than recommended (count=%lu, warning threshold=%lu) and could have an impact on search performance. action = Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size. severity = warn capabilities = admin_all_objects help = message.dispatch.artifacts
The stanza name for this message is
About editing messages.conf
A best practice for modifying messages.conf is to use a custom app. Deploy the app containing the message modifications to every instance in your deployment. Never edit configuration files in default.
Scope a message by capability
Set the capability or capabilities required to view a message using the
capabilities attribute in the
messages.conf stanza for the message. A user must have all the listed capabilities to view the message.
[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU] capabilities = admin_all_objects, can_delete
For a list of capabilities and their definitions, see About defining roles with capabilities in Securing Splunk Enterprise.
If a role is set for the message, that takes precedence over the capabilities attribute, and the capabilities attribute is ignored.
Scope a message by role
Set the role or roles required to view a message using the
roles attribute in the messages.conf stanza for the message. If a user belongs to any of these roles, the message will be visible to them.
If a role scope is specified with this attribute, it takes precedence over the capabilities attribute, which is ignored for the message.
[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU] roles = admin
See About configuring role-based user access in Securing Splunk Enterprise.
Splunk Enterprise default dashboards
About configuration files
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0