Splunk® Enterprise

Admin Manual

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Customize Splunk Web messages

You can modify notifications that display in Splunk Web in one of two ways:

  • You can add and edit the text of custom notifications that display in the Messages menu.
  • You can set the audience for certain error or warning messages generated by Splunk Enterprise.

Add or edit a custom notification

Add or edit a custom notification in Splunk Web or using the Splunk platform REST API.

Add a custom notification in Splunk Web

You can add a custom message to Splunk Web, for example to notify your users of scheduled maintenance. You need admin or system user level privileges to add or edit a custom notification.

To add or change a custom notification:

  1. Select Settings > User Interface.
  2. Click New to create a new message, or click Bulletin Messages and select the message you want to edit.
  3. Give your new message a name and message text, or edit the existing text.
  4. Click Save. The message will now appear when the user accesses Messages in the menu.

Add a custom notification using the Splunk platform REST API

For information on how to add a custom notification using the Splunk platform REST API, see Message users in apps for Splunk Cloud Platform and Splunk Enterprise in the Splunk Developer Guide.

Set audience for a Splunk Enterprise message

For some messages that appear in Splunk Web, you can control which users see the message.

If by default a message displays only for users with a particular capability, such as admin_all_objects, you can display the message to more of your users, without granting them the admin_all_objects capability. Or you can have fewer users see a message.

The message you configure must exist in messages.conf. You can set the audience for a message by role or by capability, by modifying settings in messages.conf.

Identify a message available for audience scoping

The message you restrict must exist in messages.conf. Not all messages reside in messages.conf. If a message contains a Learn more link it resides in messages.conf and is configurable. If a message does not contain a Learn more link, it might or might not reside in messages.conf and be configurable.

For example, the message in the following image contains a Learn more link:

UI message learnmore.png

Once you have chosen a message that you want to configure, check whether it is configurable. Search for parts of the message string in $SPLUNK_HOME/etc/system/default/messages.conf on *nix or %SPLUNK_HOME%\etc\system\default\messages.conf on Windows. The message string is a setting within a stanza. The stanza name is a message identifier. Make note of the stanza name to use in your customized copy of messages.conf. Never edit the configuration files that are in the default directory.

For example, searching the default messages.conf for text from the sample message shown above, such as "artifacts," leads you to the following stanza:

[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU]
message      = The number of search artifacts in the dispatch directory is higher than recommended (count=%lu, warning threshold=%lu) and could have an impact on search performance.
action       = Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size.
severity     = warn
capabilities = admin_all_objects
help         = message.dispatch.artifacts 

The stanza name for this message is DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU.

Scope a message by capability

Set the capabilities required to view a message by editing the capabilities attribute in the messages.conf stanza for the message. A user must have all the listed capabilities to view the message.

For example,

[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU]
capabilities = admin_all_objects, can_delete

For a list of capabilities and their definitions, see About defining roles with capabilities in Securing Splunk Enterprise.

If a role attribute is set for the message, that attribute takes precedence over the capabilities attribute. The capabilities attribute for the message is ignored.

See messages.conf.spec.

Scope a message by role

Set the roles required to view a message by editing the roles attribute in the messages.conf stanza for the message. If a user belongs to any of these roles, the message is visible to them.

If a role attribute is set for the message, that attribute takes precedence over the capabilities attribute. The capabilities attribute for the message is ignored.

For example:

[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU]
roles = admin


See About configuring role-based user access in Securing Splunk Enterprise.

Last modified on 20 December, 2023
Splunk Enterprise summary dashboard   About configuration files

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters