Customize Splunk Web messages
You can modify notifications that display in Splunk Web in one of two ways:
- You can add and edit the text of custom notifications that display in the Messages menu.
- You can set the audience for certain error or warning messages generated by Splunk Enterprise.
Add or edit a custom notification
Add or edit a custom notification in Splunk Web or using the Splunk platform REST API.
Add a custom notification in Splunk Web
You can add a custom message to Splunk Web, for example to notify your users of scheduled maintenance. You need admin or system user level privileges to add or edit a custom notification.
To add or change a custom notification:
- Select Settings > User Interface.
- Click New to create a new message, or click Bulletin Messages and select the message you want to edit.
- Give your new message a name and message text, or edit the existing text.
- Click Save. The message will now appear when the user accesses Messages in the menu.
Add a custom notification using the Splunk platform REST API
For information on how to add a custom notification using the Splunk platform REST API, see Message users in apps for Splunk Cloud Platform and Splunk Enterprise in the Splunk Developer Guide.
Set audience for a Splunk Enterprise message
For some messages that appear in Splunk Web, you can control which users see the message.
If by default a message displays only for users with a particular capability, such as admin_all_objects
, you can display the message to more of your users, without granting them the admin_all_objects
capability. Or you can have fewer users see a message.
The message you configure must exist in messages.conf
. You can set the audience for a message by role or by capability, by modifying settings in messages.conf
.
Identify a message available for audience scoping
The message you restrict must exist in messages.conf
. Not all messages reside in messages.conf
. If a message contains a Learn more link it resides in messages.conf
and is configurable. If a message does not contain a Learn more link, it might or might not reside in messages.conf
and be configurable.
For example, the message in the following image contains a Learn more link:
Once you have chosen a message that you want to configure, check whether it is configurable. Search for parts of the message string in $SPLUNK_HOME/etc/system/default/messages.conf
on *nix or %SPLUNK_HOME%\etc\system\default\messages.conf
on Windows. The message string is a setting within a stanza. The stanza name is a message identifier. Make note of the stanza name to use in your customized copy of messages.conf
. Never edit the configuration files that are in the default
directory.
For example, searching the default messages.conf for text from the sample message shown above, such as "artifacts," leads you to the following stanza:
[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU] message = The number of search artifacts in the dispatch directory is higher than recommended (count=%lu, warning threshold=%lu) and could have an impact on search performance. action = Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size. severity = warn capabilities = admin_all_objects help = message.dispatch.artifacts
The stanza name for this message is DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU
.
Scope a message by capability
Set the capabilities required to view a message by editing the capabilities
attribute in the messages.conf
stanza for the message. A user must have all the listed capabilities to view the message.
For example,
[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU] capabilities = admin_all_objects, can_delete
For a list of capabilities and their definitions, see About defining roles with capabilities in Securing Splunk Enterprise.
If a role attribute is set for the message, that attribute takes precedence over the capabilities attribute. The capabilities attribute for the message is ignored.
See messages.conf.spec.
Scope a message by role
Set the roles required to view a message by editing the roles
attribute in the messages.conf
stanza for the message. If a user belongs to any of these roles, the message is visible to them.
If a role attribute is set for the message, that attribute takes precedence over the capabilities attribute. The capabilities attribute for the message is ignored.
For example:
[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU] roles = admin
See About configuring role-based user access in Securing Splunk Enterprise.
Configure Dashboards Trusted Domains List | Display global banner |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!