About event type priorities
You can give your event type a Priority. The Priority value that you select for an event type affects the display of events that match that event type, when those events also match other event types. For information on event types, see Define event types.
Priority affects the event type listing order in expanded events.
Event type matching takes place at search time. When you run a search and an event returned by that search matches an event type, Splunk software adds the corresponding
eventtype field-value pair to it, where the value is the event type name.
You can see the event types that have been added to an event when you review your search results. Expand the event and check to see if the
eventtype field is listed. If you see it, the event matches at least one event type.
If the event matches two or more event types,
eventtype becomes a multivalued field whose values are ordered alphabetically, with the exception of event types that have a Priority setting. Event types with a Priority setting are listed above the event types without one, and they are ordered according to their Priority value.
If you have a number of overlapping event types, or event types that are subsets of larger ones, you may want to give the precisely focused event types a better priority. For example, you could easily have a set of events that are part of a wide-ranging
all_system_errors event type. Within that large set of events, you could have events that also belong to more precisely focused event types like
Here is an example of an event that matches the
critical_disc_error event types.
In this example, the
critical_disk_error event type has a priority of
3 while the
all_system_errors event type has a priority of
3 is a better priority value than
critical_disk_error appears first in the list order.
Priority determines which event type color displays for an event
Only one event type color can be displayed for each event. When an event matches multiple event types, the Color for the event type with the best Priority value is displayed. However, for event types grouped with the
transaction command, no color is displayed.
Following from the previous example, here is an example of two events with event type coloration.
Both events match the
all_system_errors event type, which has a Color value of Orange. Events that have
all_system_errors as the dominant event type display with orange event type coloration. One of the events also matches the
critical_disk_error event type, which has a better Priority than
critical_disk_error event type has Color set to Purple, so the event that matches it has purple event type coloration instead of orange.
Define event types in Splunk Web
Automatically find and build event types
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7
Feedback submitted, thanks!