Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Supress Subsearch Warning

slierninja
Communicator
‎11-02-2012 09:03 AM

Is there a way to hide the splunk notification message:

[subsearch]: Your timerange was substituted based on your search string

I have a saved search that utilizes joins and each time I view the saved search in the dashboard it displays this notification in Splunk 4.2.

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎11-02-2012 03:10 PM

If your view is an advanced XML, you can manipulate the filtering options in the "Message" module of the view.

It looks a bit like this:

<module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
</module>

I don't have a good list of possible values for filter, but if your dashboard is pretty static and well-trusted, you could remove the Message module in its entirety. Another good option to look at is @sideview's approach in:

http://splunk-base.splunk.com/answers/3123/message-module-filter-values

If it is not an advanced XML view, then I don't know if this is even possible.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎11-02-2012 03:10 PM

If your view is an advanced XML, you can manipulate the filtering options in the "Message" module of the view.

It looks a bit like this:

<module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
</module>

I don't have a good list of possible values for filter, but if your dashboard is pretty static and well-trusted, you could remove the Message module in its entirety. Another good option to look at is @sideview's approach in:

http://splunk-base.splunk.com/answers/3123/message-module-filter-values

If it is not an advanced XML view, then I don't know if this is even possible.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎11-02-2012 05:23 PM

Well, again, commenting it out is a drastic step - all warning and error messages won't show up.... maybe someone will have a better approach.

0 Karma
Reply
Solved! Jump to solution

slierninja
Communicator
‎11-02-2012 03:21 PM

Commenting out the Message module worked perfectly! I questioned that, but I only know enough to be dangerous at this point. Thanks for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...