Attribute precedence within a single props.conf file
In addition to understanding how attribute precedence works across files, you also sometimes need to consider attribute priority within a single props.conf file.
Precedence within sets of stanzas affecting the same target
When two or more stanzas specify a behavior that affects the same item, items are evaluated by the stanzas' ASCII order. For example, assume you specify in props.conf
the following stanzas:
[source::.../bar/baz] attr = val1 [source::.../bar/*] attr = val2
The second stanza's value for attr
will be used, because its path is higher in the ASCII order and takes precedence.
Overriding default attribute priority in props.conf
There's a way to override the default ASCII priority in props.conf
. Use the priority
key to specify a higher or lower priority for a given stanza.
For example, suppose we have a source:
source::az
and the following patterns:
[source::...a...] sourcetype = a [source::...z...] sourcetype = z
In this case, the default behavior is that the settings provided by the pattern "source::...a..." take precedence over those provided by "source::...z...". Thus, sourcetype will have the value "a".
To override this default ASCII ordering, use the priority
key:
[source::...a...] sourcetype = a priority = 5 [source::...z...] sourcetype = z priority = 10
Assigning a higher priority to the second stanza causes sourcetype
to have the value "z".
There's another attribute precedence issue to consider. By default, stanzas that match a string literally ("literal-matching stanzas") take precedence over regex pattern-matching stanzas. This is due to the default values of their priority
keys:
- 0 is the default for pattern-matching stanzas
- 100 is the default for literal-matching stanzas
So, literal-matching stanzas will always take precedence over pattern-matching stanzas, unless you change that behavior by explicitly setting their priority
keys.
You can use the priority
key to resolve collisions between patterns of the same type, such as sourcetype
patterns or host
patterns. The priority
key does not, however, affect precedence across spec types. For example, source
patterns take priority over host
and sourcetype
patterns, regardless of priority key values.
Precedence for events with multiple attribute assignments
The props.conf
file sets attributes for processing individual events by host, source, or sourcetype (and sometimes event type). So it's possible for one event to have the same attribute set differently for the default fields: host, source or sourcetype. The precedence order is:
- source
- host
- sourcetype
You might want to override the default props.conf
settings. For example, assume you are tailing mylogfile.xml
, which by default is labeled sourcetype = xml_file
. This configuration will re-index the entire file whenever it changes, even if you manually specify another sourcetype, because the property is set by source. To override this, add the explicit configuration by source:
[source::/var/log/mylogfile.xml] CHECK_METHOD = endpoint_md5
Configuration file precedence | How to edit a configuration file |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0
Feedback submitted, thanks!