Hi,
we are running a distributed Splunk environment and do monitor the messages which appearing when there are issues within the ecosystem.
We did read about how to customize messages and official Splunk docs for messages.conf but weren't able to receive good answers to that. Maybe one of you does have more experience with that
https://docs.splunk.com/Documentation/Splunk/8.2.5/Admin/Customizeuserexperience
https://docs.splunk.com/Documentation/Splunk/8.2.5/Admin/Messagesconf
Can someone help to explain those parameters and the behavior?
target = [auto|ui|log|ui,log|none] * Sets the message display target. * "auto" means the message display target is automatically determined by context. * "ui" messages are displayed in Splunk Web and can be passed on from search peers to search heads in a distributed search environment. * "log" messages are displayed only in the log files for the instance under the BulletinBoard component, with log levels that respect their message severity. For example, messages with severity "info" are displayed as INFO log entries. * "ui,log" combines the functions of the "ui" and "log" options. * "none" completely hides the message. (Please consider using "log" and reducing severity instead. Using "none" might impact diagnosability.) * Default: auto
I try to find a way to control if messages are getting distributed to another instance like Monitoring Console or if they should only appear on the system where the issue happend. Is that possible?
Where do I find those event if I select "log" as parameter? do they appear only in splunkd.log?
Thanks