Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

Attribute precedence within a single props.conf file

In addition to understanding how attribute precedence works across files, you also sometimes need to consider attribute priority within a single props.conf file.

Precedence within sets of stanzas affecting the same target

When two or more stanzas specify a behavior that affects the same item, items are evaluated by the stanzas' ASCII order. For example, assume you specify in props.conf the following stanzas:

attr = val1

attr = val2

The second stanza's value for attr will be used, because its path is higher in the ASCII order and takes precedence.

Overriding default attribute priority in props.conf

There's a way to override the default ASCII priority in props.conf. Use the priority key to specify a higher or lower priority for a given stanza.

For example, suppose we have a source:


and the following patterns:

    sourcetype = a

    sourcetype = z

In this case, the default behavior is that the settings provided by the pattern "source::...a..." take precedence over those provided by "source::...z...". Thus, sourcetype will have the value "a".

To override this default ASCII ordering, use the priority key:

    sourcetype = a
    priority = 5

    sourcetype = z
    priority = 10

Assigning a higher priority to the second stanza causes sourcetype to have the value "z".

There's another attribute precedence issue to consider. By default, stanzas that match a string literally ("literal-matching stanzas") take precedence over regex pattern-matching stanzas. This is due to the default values of their priority keys:

  • 0 is the default for pattern-matching stanzas
  • 100 is the default for literal-matching stanzas

So, literal-matching stanzas will always take precedence over pattern-matching stanzas, unless you change that behavior by explicitly setting their priority keys.

You can use the priority key to resolve collisions between patterns of the same type, such as sourcetype patterns or host patterns. The priority key does not, however, affect precedence across spec types. For example, source patterns take priority over host and sourcetype patterns, regardless of priority key values.

Precedence for events with multiple attribute assignments

The props.conf file sets attributes for processing individual events by host, source, or sourcetype (and sometimes event type). So it's possible for one event to have the same attribute set differently for the default fields: host, source or sourcetype. The precedence order is:

  • source
  • host
  • sourcetype

You might want to override the default props.conf settings. For example, assume you are tailing mylogfile.xml, which by default is labeled sourcetype = xml_file. This configuration will re-index the entire file whenever it changes, even if you manually specify another sourcetype, because the property is set by source. To override this, add the explicit configuration by source:

CHECK_METHOD = endpoint_md5
Configuration file precedence
How to edit a configuration file

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2


Note: Alphanumeric ordering also applies to the TRANSFORMS attributes within a stanza.


TRANSFORMS-orgname = tx_my_sourcetype_orgname
TRANSFORMS-address = tx_my_sourcetype_address
TRANSFORMS-phone = tx_my_sourcetype_phone
TRANSFORMS-email_msg = tx_my_sourcetype_email_msg

The order the TRANSFORMS are executed is by the class name in alphanumeric order, so it would be:


This may make a difference if in TRANFORMS-email_msg for example, your are transforming _raw during index time to reduce the data indexed, and if that includes stripping out data that the other transforms need, you'd never get those values. To make TRANSFORMS-email_msg go last, you'd add a z in front:


Or add an 'a' in front for all the other TRANSFORMS. Alternatively you could just number your class IDs:


Rkantamaneni splunk, Splunker
October 15, 2018

What is the max value priority may be set to?

February 23, 2018

SloshBurch - A setting in a specific stanza always trumps a setting in a default stanza, across all files - default or local. So, splunk=awesome.

November 7, 2014

I might have just missed it on this page, but can we add to this page to describe the behavior of a [default] stanza within a conf file?<br /><br />More specifically, if my default conf file contains:<br /><br />[knowledge_object1]<br />splunk = awesome<br />But then, in the same app, the corresponding local conf file has<br /><br />[default]<br />splunk = best<br /><br />What is the determined value of the "splunk" attribute in knowledge_object1?

November 5, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters