Dashboards & Visualizations

How can I supress certain Splunk web error/warning messages/notifications for non-admin users?

Glenn
Builder

There are a number of Splunk web alert messages/notifications that I do not want my users to see. Currently, when I make a change in Splunk Manager that requires a restart, ALL users (including those that do not have the access rights to restart the server) get the following message a the top of their Splunk web page:

"Splunk must be restarted for changes to take effect. Click here to restart from the Manager."

I also assume, that like in version 3.x non-admin users will also be notified of license violations, that they can do nothing about (I say assume, as we are currently not being notified of license violations at all apart from by a monitoring script I have put in myself, a bug has been logged - SPL-29454).

Of course there are certain messages that would be relevant to non-admin users, like search errors for unbalanced quotes and the like.

So, is there a way to selectively disable alerts in Splunk web for certain users?

Tags (3)
1 Solution

jrodman
Splunk Employee
Splunk Employee

There's not any exposed controls to filter the so-called bulletin board messages. I think internally some messages are filtered, but it's not important because we obviously haven't filtered everything you would tend to want.

There's an ongoing conversation internally around improving both the bulletin board and license messaging. I will point people to this answers link, but explicit bugs/ERs around this topic are a good input.

View solution in original post

asagban
Engager

Now that Advanced XML is deprecated in 6.0 abd above versions....any advice on how tis can be done now?

I would like to have the warnings not apear to users that are not admins

vsingla1
Communicator

Hi,
Trying to re-open/rejuvenate this old thread.

I got to the point where I see the message module being referenced in the search app xml files. I can modify the filter and level params in that file. But how to setup this based on user/role is still unanswered? How to modify the message module on role basis? Also, the current definition of level param says:

When set, will only emit messages equal to or higher than the specified level.

Is there a way to configure the level param so that it emits messages equal to or less than the specfied value?

Thanks,
Vineet

0 Karma

BobM
Builder

If you look at the advanced XML of the your pages, there are a few message modules.
The first on any page is for system messages. By default, this has a wildcard filter.

< module name="Message" layoutPanel="messaging">
  < param name="filter" >*< /param>

If you edit it and replace the * with the word NONE, it will then not show any system messages. Then make a duplicate copy, restore the * and only give the admin role rights to see it.

You will have to do this for each of the advanced XML pages you don't want users to see the message on. I don't think you can do this for simple XML so you will have to convert them.

0 Karma

miteshvohra
Contributor

Hi Bob, I think this would work for the new pages / panels / DBs being created or a fresh Splunk setup. However, for the already existing ones, this process will eat up too much time as the OP may not have the list of all the objects created. And, having multiple admins would add further complexity to the case as well.

Very useful info shared here. Is there a way, we can bookmark such suggestions for later review during client consulting or fresh deployments?

0 Karma

jrodman
Splunk Employee
Splunk Employee

There's not any exposed controls to filter the so-called bulletin board messages. I think internally some messages are filtered, but it's not important because we obviously haven't filtered everything you would tend to want.

There's an ongoing conversation internally around improving both the bulletin board and license messaging. I will point people to this answers link, but explicit bugs/ERs around this topic are a good input.

the_wolverine
Champion

Any chance this might have been implemented in 6.0? Most certainly it is not available in 5.x.

0 Karma

Glenn
Builder

Support call logged: # 41202

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...