Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. Click here for the latest version.Download topic as PDF
The following are the spec and example files for
Version 7.2.10 This file contains attribute/value pairs for configuring externalized strings in messages.conf. There is a messages.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations, place a messages.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations. To learn more about configuration files (including precedence) please see the documentation located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles For the full list of all messages that can be overridden, check out $SPLUNK_HOME/etc/system/default/messages.conf The full name of a message resource is component_key + ':' + message_key. After a descriptive message key, append two underscores, and then use the letters after the % in printf style formatting, surrounded by underscores. For example, assume the following message resource is defined: [COMPONENT:MSG_KEY__D_LU_S] message = FunctionX returned %d, expected %lu. action = See %s for details. The message key expected 3 printf style arguments (%d, %lu, %s), which can be in either the message or action fields but mist appear in the same order. In addition to the printf style arguments above, some custom UI patterns are allowed in the message and action fields. These patterns will be rendered by the UI before displaying the text. For example, linking to a specific Splunk page can be done using this pattern: [COMPONENT:MSG_LINK__S] message = License key '%s' is invalid. action = See [[/manager/system/licensing|Licensing]] for details. Another custom formatting option is for date/time arguments. If the argument should be rendered in local time and formatted to a specific langauge, simply provide the unix timestamp and prefix the printf style argument with "$t". This will hint that the argument is actually a timestamp (not a number) and should be formatted into a date/time string. The language and timezone used to render the timestamp is determined during render time given the current user viewing the message - it is not required to provide these details here. For example, assume the following message resource is defined: [COMPONENT:TIME_BASED_MSG__LD] message = Component exception @ $t%ld. action = See splunkd.log for details. The first argument is prefixed with "$t", and therefore will be treated as a unix timestamp. It will be formatted as a date/time string. For these and other examples, check out $SPLUNK_HOME/etc/system/README/messages.conf.example Component
name = <string> * The human-readable name used to prefix all messages under this component * Required Message
message = <string> * The message string describing what and why something happened * Required message_alternate = <string> * An alternative static string for this message * Any arguments will be ignored * Defaults to nothing action = <string> * The action string describing the next steps in reaction to the message * Defaults to nothing severity = critical|error|warn|info|debug * The severity of the message * Defaults to warn capabilities = <capability list> * The capabilities required to view the message, comma separated * Defaults to nothing roles = <role list> * The roles required to view the message, comma separated. If a user belongs to any of these roles, the message will be visible to them. * If a role scope is specified with this setting, it takes precedence over the "capabilities" setting, which is ignored for the message. * Always unset by default in Splunk Enterprise. This settings should be manually configured with any system or user-created roles. help = <location string> * The location string to link users to specific documentation * Defaults to nothing target = [auto|ui|log|ui,log|none] * Sets the message display target. * "auto" means the message display target is automatically determined by context. * "ui" messages are displayed by in Splunk Web and can be passed on from search peers to search heads in a distributed search environment. * "log" messages are displayed only in the log files for the instance, under the BulletinBoard component, with log levels that respect their message severity. For example, messages with severity "info" are displayed as INFO log entries. * "ui,log" combines the functions of the "ui" and "log" options. * "none" completely hides the message (please consider using "log" and reducing severity instead, using "none" may impact diagnosability). * Default: auto
# Version 7.2.10 # # This file contains an example messages.conf of attribute/value pairs for # configuring externalized strings. # # There is a messages.conf in $SPLUNK_HOME/etc/system/default/. To set custom # configurations, place a messages.conf in $SPLUNK_HOME/etc/system/local/. You # must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # # For the full list of all literals that can be overridden, check out # $SPLUNK_HOME/etc/system/default/messages.conf [DISK_MON] name = Disk Monitor [DISK_MON:INSUFFICIENT_DISK_SPACE_ERROR__S_S_LLU] message = Cannot write data to index path '%s' because you are low on disk space on partition '%s'. Indexing has been paused. action = Free disk space above %lluMB to resume indexing. severity = warn capabilities = indexes_edit help = learnmore.indexer.setlimits [LM_LICENSE] name = License Manager [LM_LICENSE:EXPIRED_STATUS__LD] message = Your license has expired as of $t%ld. action = $CONTACT_SPLUNK_SALES_TEXT$ capabilities = license_edit [LM_LICENSE:EXPIRING_STATUS__LD] message = Your license will soon expire on $t%ld. action = $CONTACT_SPLUNK_SALES_TEXT$ capabilities = license_edit [LM_LICENSE:INDEXING_LIMIT_EXCEEDED] message = Daily indexing volume limit exceeded today. action = See [[/manager/search/licenseusage|License Manager]] for details. severity = warn capabilities = license_view_warnings help = learnmore.license.features [LM_LICENSE:MASTER_CONNECTION_ERROR__S_LD_LD] message = Failed to contact license master: reason='%s', first failure time=%ld ($t%ld). severity = warn capabilities = license_edit help = learnmore.license.features [LM_LICENSE:SLAVE_WARNING__LD_S] message = License warning issued within past 24 hours: $t%ld. action = Please refer to the License Usage Report view on license master '%s' to find out more. severity = warn capabilities = license_edit help = learnmore.license.features
Last modified on 19 February, 2020
This documentation applies to the following versions of Splunk® Enterprise: 7.2.10
Feedback submitted, thanks!