Monitoring Splunk

How to configure bulletin messages correctly to avoid distribution of messages



we are running a distributed Splunk environment and do monitor the messages which appearing when there are issues within the ecosystem. 

We did read about how to customize messages and official Splunk docs for messages.conf but weren't able to receive good answers to that. Maybe one of you does have more experience with that

Can someone help to explain those parameters and the behavior?

target = [auto|ui|log|ui,log|none]
* Sets the message display target.
  * "auto" means the message display target is automatically determined by
  * "ui" messages are displayed in Splunk Web and can be passed on from
    search peers to search heads in a distributed search environment.
  * "log" messages are displayed only in the log files for the instance under
    the BulletinBoard component, with log levels that respect their message
    severity. For example, messages with severity "info" are displayed as INFO
    log entries.
  * "ui,log" combines the functions of the "ui" and "log" options.
  * "none" completely hides the message. (Please consider using "log" and
    reducing severity instead. Using "none" might impact diagnosability.)
* Default: auto

I try to find a way to control if messages are getting distributed to another instance like Monitoring Console or if they should only appear on the system where the issue  happend. Is that possible?

Where do I find those event if I select "log" as parameter? do they appear only in splunkd.log?




Labels (2)
0 Karma