Create a Splunk Web message in Splunk Enterprise Security
Create a message in Splunk Web based on the results of a search using the Create Splunk messages alert action. Only administrators can create messages using this alert action.
The message that you create with this alert action must already exist in messages.conf
. See Customize Splunk Web messages in the Splunk Enterprise Admin Manual for more about creating messages.
- You can create Splunk Web messages from a search or from a correlation search:
Option Steps Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Type and select alert details and configure triggering and throttling as needed. Create or edit a correlation search From the ES menu bar, select Configure > Content > Content Management. Select Create New Content > Correlation Search. Type and select correlation search configurations as needed. Edit a correlation search From the ES menu bar, select Configure > Content > Content Management. Select the correlation search. - Click Add Actions and select Create Splunk messages.
- Select a Name. The name corresponds to a stanza in
messages.conf
of an existing message.
For example,DISK_MON:INSUFFICIENT_DISK_SPACE_ERROR
. - (Optional) Type a Message ID that identifies the message.
For example,insufficient_diskspace
. - (Optional) If a message uses field substitution, type the Fields to use. The fields used for argument substitution must be returned in the search results to be included in the message. Type the fields in the order that they must be substituted in the message.
For example, for a messageHost %s has free disk space %d, below the minimum 5GB.
, type the fieldssrc,FreeMBytes
. - (Optional) Select Yes for Keep Only Latest and keep only the latest message produced by a search.
For example, if the host has low disk space for three days, rather than get daily messages for three days, select Yes for this setting to only see one message. - Click Save.
Configure per-panel filtering in Splunk Enterprise Security | Dashboard requirements matrix for Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0
Feedback submitted, thanks!