Dashboards & Visualizations

Message module filter values?

smisplunk
Path Finder

Is there a list somewhere of the message categories to use in the filter parameter to the Message module? The example in the module documentation only mentions a filter setting of "splunk.search" receiving a message in the category "splunk.search.error". I'd like to filter out to only receive error messages. In particular, I'd like to hide messages like this:

Specified field(s) missing from results: 'classification', 'subject'

These appear in blue in the message bar, indicating low severity?

Attempting to set the param to "*.error" didn't filter out these messages.

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

The filter param that would filter out that message is splunk.search.job

There's a very significant problem with this, in that the vast majority of messages you see in the UI have this exact message class, so this change would filter out essentially ALL user messaging.
Presumably you dont want that 😃 -- you want users to keep getting informative search language errors and warnings when they have typos or when what they're typing makes no sense. In the long term, we should get this filed as an enhancement request. It does come up pretty regularly.

Anyway, with the filter param eliminated as an option, we're down to customizing the relevant piece of functionality from etc/<appname>/appserver/static/application.js.
You already have one of these in your app as I remember but correct me if Im wrong.

Normally customizing a little bit of a module's behaviour is very easy but in this case Im afraid both the code broadcasting the message and the code receiving the message make it quite difficult.

The shortest simplest solution i can come up with is neither short nor simple so Im very hesitant to just post it here. I'll send you an email though and we'll see what level of interest this question/answer generates here. 😃

UPDATE: Here is some sample JS that you can put in application.js, that can remove chronic noise from the Message module.

/**
 * Customize the message module so it wont constantly be telling the user that
 * lookup tables have been loaded and written to.
 * believe it or not, this is the least evil way I was able to find to
 * override the message handling.
 */
if (Splunk.Module.Message) {
    Splunk.Module.Message= $.klass(Splunk.Module.Message, {
        getHTMLTransform: function($super){
            // Please dont tell me any 'info' about lookups, nor 'error' about 
            // entityLabelSingular, etc...
            // Thank you that is all.
            var argh = [
                {contains:"lookup", level:"info"},
                {contains:"Results written to", level:"info"},
                {contains:"entityLabelSingular", level:"error"},
                {contains:"auto-finalized", level:"info"},
                {contains:"Your timerange was substituted", level:"info"},
                {contains:"Specified field(s) missing from results", level:"warn"}
            ];
            for (var i=this.displayedMessages.length-1; i>=0; i--){
                var message = this.displayedMessages[i];
                for (var j=0,jLen=argh.length;j<jLen;j++) {
                    if ((message.content.indexOf(argh[j]["contains"])!=-1) && (message.level == argh[j]["level"])) {

                        this.displayedMessages.splice(i,1);
                        break;
                    }
                }
            }
            return $super();
        }
    });
}

View solution in original post

athana
Splunk Employee
Splunk Employee

Looking through the file: $SPLUNK_HOME/share/splunk/search_mrsparkle/modules/messaging/Message.js
I believe that there are five levels that you can use to filter messaging: debug, info, warn, error, and fatal. For example, if you want to show only error and above level messages, you can use it like this:


*
error

0 Karma

sideview
SplunkTrust
SplunkTrust

It would make sense if those were the strings you'd use here. However it's a difference space. like "splunk.search.job", and the values in that space dont have anything to do directly with the log level of the messages, which is the debug/info/warn/error/fatal part...

0 Karma

nate015
Explorer

I'm also interested. I would like to remove the message "Subsearches of a real-time search run over all-time unless explicit time bounds are specified within the subsearch."

0 Karma

fox
Path Finder

interested 🙂 mainly for the timerange substituted message - this is unwanted

sideview
SplunkTrust
SplunkTrust

The filter param that would filter out that message is splunk.search.job

There's a very significant problem with this, in that the vast majority of messages you see in the UI have this exact message class, so this change would filter out essentially ALL user messaging.
Presumably you dont want that 😃 -- you want users to keep getting informative search language errors and warnings when they have typos or when what they're typing makes no sense. In the long term, we should get this filed as an enhancement request. It does come up pretty regularly.

Anyway, with the filter param eliminated as an option, we're down to customizing the relevant piece of functionality from etc/<appname>/appserver/static/application.js.
You already have one of these in your app as I remember but correct me if Im wrong.

Normally customizing a little bit of a module's behaviour is very easy but in this case Im afraid both the code broadcasting the message and the code receiving the message make it quite difficult.

The shortest simplest solution i can come up with is neither short nor simple so Im very hesitant to just post it here. I'll send you an email though and we'll see what level of interest this question/answer generates here. 😃

UPDATE: Here is some sample JS that you can put in application.js, that can remove chronic noise from the Message module.

/**
 * Customize the message module so it wont constantly be telling the user that
 * lookup tables have been loaded and written to.
 * believe it or not, this is the least evil way I was able to find to
 * override the message handling.
 */
if (Splunk.Module.Message) {
    Splunk.Module.Message= $.klass(Splunk.Module.Message, {
        getHTMLTransform: function($super){
            // Please dont tell me any 'info' about lookups, nor 'error' about 
            // entityLabelSingular, etc...
            // Thank you that is all.
            var argh = [
                {contains:"lookup", level:"info"},
                {contains:"Results written to", level:"info"},
                {contains:"entityLabelSingular", level:"error"},
                {contains:"auto-finalized", level:"info"},
                {contains:"Your timerange was substituted", level:"info"},
                {contains:"Specified field(s) missing from results", level:"warn"}
            ];
            for (var i=this.displayedMessages.length-1; i>=0; i--){
                var message = this.displayedMessages[i];
                for (var j=0,jLen=argh.length;j<jLen;j++) {
                    if ((message.content.indexOf(argh[j]["contains"])!=-1) && (message.level == argh[j]["level"])) {

                        this.displayedMessages.splice(i,1);
                        break;
                    }
                }
            }
            return $super();
        }
    });
}

sideview
SplunkTrust
SplunkTrust

NOTE: Prior to I think 4.3, you have to replace this.displayedMessages with this.messages. I've updated my answer to keep pace with 4.3 and 5.0. ALSO: If your view might ever display lots of messages, you have to also splice out of the "this.allMessages" array or else you can still get the "show all messages" link to show up, which can be very confusing.

0 Karma

amjones
New Member

I've been using this successfully in Splunk 5.0 but since moving to Splunk 6.2.2 I get an "Uncaught TypeError: Cannot read property 'Message' of undefined" which I believe is happening because Spunk.Module.Message is not available.

My static_dir in web.conf points to the default share/splunk/search_mrsparkle/exposed

0 Karma

sideview
SplunkTrust
SplunkTrust

Note: I updated the answer because there was a fairly obvious bug in the logic that I had missed -- as written previously it would throw an error if a message to be filtered was not the only message in the list.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...