Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create a Splunk Web message in Splunk Enterprise Security

Create a message in Splunk Web based on the results of a search using the Create Splunk messages alert action. Only administrators can create messages using this alert action.

The message that you create with this alert action must already exist in messages.conf. See Customize Splunk Web messages in the Splunk Enterprise Admin Manual for more about creating messages.

  1. You can create Splunk Web messages from a search or from a correlation search:
    Option Steps
    Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Type and select alert details and configure triggering and throttling as needed.
    Create or edit a correlation search From the ES menu bar, select Configure > Content > Content Management. Select Create New Content > Correlation Search. Type and select correlation search configurations as needed.
    Edit a correlation search From the ES menu bar, select Configure > Content > Content Management. Select the correlation search.
  2. Click Add Actions and select Create Splunk messages.
  3. Select a Name. The name corresponds to a stanza in messages.conf of an existing message.
    For example, DISK_MON:INSUFFICIENT_DISK_SPACE_ERROR.
  4. (Optional) Type a Message ID that identifies the message.
    For example, insufficient_diskspace.
  5. (Optional) If a message uses field substitution, type the Fields to use. The fields used for argument substitution must be returned in the search results to be included in the message. Type the fields in the order that they must be substituted in the message.
    For example, for a message Host %s has free disk space %d, below the minimum 5GB., type the fields src,FreeMBytes.
  6. (Optional) Select Yes for Keep Only Latest and keep only the latest message produced by a search.
    For example, if the host has low disk space for three days, rather than get daily messages for three days, select Yes for this setting to only see one message.
  7. Click Save.
Last modified on 19 January, 2022
Configure per-panel filtering in Splunk Enterprise Security   Dashboard requirements matrix for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters