Splunk® Enterprise

Admin Manual

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

messages.conf

The following are the spec and example files for messages.conf.

messages.conf.spec

   Version 8.0.6

 This file contains attribute/value pairs for configuring externalized strings
 in messages.conf.

 There is a messages.conf in $SPLUNK_HOME/etc/system/default/.  To set custom
 configurations, place a messages.conf in $SPLUNK_HOME/etc/system/local/. You
 must restart the instance to enable configurations.

 To learn more about configuration files (including precedence) please see the
 documentation located at
 http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

 For the full list of all messages that can be overridden, check out
 $SPLUNK_HOME/etc/system/default/messages.conf

 The full name of a message resource is component_key + ':' + message_key.
 After a descriptive message key, append two underscores, and then use the
 letters after the % in printf style formatting, surrounded by underscores.

 For example, assume the following message resource is defined:

   [COMPONENT:MSG_KEY__D_LU_S]
   message = FunctionX returned %d, expected %lu.
   action  = See %s for details.

 The message key expects 3 printf-style arguments: %d, %lu, %s. These arguments
 can be in either the message or action fields but must appear in the same order.

 In addition to the printf style arguments above, some custom UI patterns are
 allowed in the message and action fields. These patterns are rendered by
 the UI before displaying the text.

 For example, a message can link to a specific Splunk Web page using this pattern:

   [COMPONENT:MSG_LINK__S]
   message = License key '%s' is invalid.
   action  = See [[/manager/system/licensing|Licensing]] for details.

 Another custom formatting option is for date/time arguments. If the argument
 should be rendered in local time and formatted to a specific language,
 provide the unix timestamp and prefix the printf style argument with "$t".
 This indicates that the argument is a timestamp (not a number) and
 should be formatted into a date/time string.

 The language and timezone used to render the timestamp is determined during
 render time given the current user viewing the message. It is not required to
 provide these details here.

 For example, assume the following message resource is defined:

   [COMPONENT:TIME_BASED_MSG__LD]
   message = Component exception @ $t%ld.
   action  = See splunkd.log for details.

 The first argument is prefixed with "$t", and therefore will be treated as a
 unix timestamp. It will be formatted as a date/time string.

 For these and other examples, check out
 $SPLUNK_HOME/etc/system/README/messages.conf.example




 Component

[<component>]

name = <string>
* The human-readable name used to prefix all messages under this component.
* Required.
* No default.


 Message

[<component>:<key>]

message = <string>
* String describing what and why something happened.
* Required.

message_alternate = <string>
* An alternative static string for this message.
* Any arguments are ignored.
* Default: empty string

action = <string>
* A string that describes the suggested next step to take in reaction
  to the message.
* Default: empty string

severity = critical|error|warn|info|debug
* The severity of the message.
* Default: warn

capabilities = <comma-separated list>
* A comma-separated list of the capabilities required to view the message.
* Default: empty string

roles = <comma-separated list>
* A comma-separated list of the roles required to view the message.
* If a user belongs to any of these roles, the user will see the message.
* If a role scope is specified with this setting, it takes precedence over the
  "capabilities" setting, which is ignored for the message.
* This setting should be manually configured with any system- or user-created
  role.
* Default (Splunk Enterprise): not set

help = <string>
* The location string to link users to specific documentation.
* No default.

target = [auto|ui|log|ui,log|none]
* Sets the message display target.
  * "auto" means the message display target is automatically determined by
    context.
  * "ui" messages are displayed in Splunk Web and can be passed on from
    search peers to search heads in a distributed search environment.
  * "log" messages are displayed only in the log files for the instance under
    the BulletinBoard component, with log levels that respect their message
    severity. For example, messages with severity "info" are displayed as INFO
    log entries.
  * "ui,log" combines the functions of the "ui" and "log" options.
  * "none" completely hides the message. (Please consider using "log" and
    reducing severity instead. Using "none" might impact diagnosability.)
* Default: auto

messages.conf.example

#   Version 8.0.6
#
# This file contains an example messages.conf of attribute/value pairs for 
# configuring externalized strings.
#
# There is a messages.conf in $SPLUNK_HOME/etc/system/default/.  To set custom
# configurations, place a messages.conf in $SPLUNK_HOME/etc/system/local/. You
# must restart the instance to enable configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
#
# For the full list of all literals that can be overridden, check out
# $SPLUNK_HOME/etc/system/default/messages.conf


[DISK_MON]
name = Disk Monitor

[DISK_MON:INSUFFICIENT_DISK_SPACE_ERROR__S_S_LLU]
message      = Cannot write data to index path '%s' because you are low on disk space on partition '%s'. Indexing has been paused.
action       = Free disk space above %lluMB to resume indexing.
severity     = warn
capabilities = indexes_edit
help         = learnmore.indexer.setlimits


[LM_LICENSE]
name = License Manager

[LM_LICENSE:EXPIRED_STATUS__LD]
message      = Your license has expired as of $t%ld.
action       = $CONTACT_SPLUNK_SALES_TEXT$
capabilities = license_edit

[LM_LICENSE:EXPIRING_STATUS__LD]
message      = Your license will soon expire on $t%ld.
action       = $CONTACT_SPLUNK_SALES_TEXT$
capabilities = license_edit

[LM_LICENSE:INDEXING_LIMIT_EXCEEDED]
message      = Daily indexing volume limit exceeded today.
action       = See [[/manager/search/licenseusage|License Manager]] for details.
severity     = warn
capabilities = license_view_warnings
help         = learnmore.license.features

[LM_LICENSE:MASTER_CONNECTION_ERROR__S_LD_LD]
message      = Failed to contact license master: reason='%s', first failure time=%ld ($t%ld).
severity     = warn
capabilities = license_edit
help         = learnmore.license.features

[LM_LICENSE:SLAVE_WARNING__LD_S]
message      = License warning issued within past 24 hours: $t%ld.
action       = Please refer to the License Usage Report view on license master '%s' to find out more.
severity     = warn
capabilities = license_edit
help         = learnmore.license.features

Last modified on 25 August, 2020
macros.conf   metric_alerts.conf

This documentation applies to the following versions of Splunk® Enterprise: 8.0.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters