About event type priorities
You can give your event type a Priority. The Priority value that you select for an event type affects the display of events that match that event type, when those events also match other event types. For information on event types, see Define event types.
Priority affects the event type listing order in expanded events.
Event type matching takes place at search time. When you run a search and an event returned by that search matches an event type, Splunk software adds the corresponding eventtype
field/value pair to it, where the value is the event type name.
You can see the event types that have been added to an event when you review your search results. Expand the event and check to see if the eventtype
field is listed. If you see it, the event matches at least one event type.
If the event matches two or more event types, eventtype
becomes a multivalued field whose values are ordered alphabetically, with the exception of event types that have a Priority setting. Event types with a Priority setting are listed above the event types without one, and they are ordered according to their Priority value.
If you have a number of overlapping event types, or event types that are subsets of larger ones, you may want to give the precisely focused event types a better priority. For example, you could easily have a set of events that are part of a wide-ranging all_system_errors
event type. Within that large set of events, you could have events that also belong to more precisely focused event types like critical_disc_error
and bad_external_resource_error
.
Here is an example of an event that matches the all_system_errors
and critical_disc_error
event types.
In this example, the critical_disk_error
event type has a priority of 3
while the all_system_errors
event type has a priority of 7
. 3
is a better priority value than 7
, so critical_disk_error
appears first in the list order.
Priority determines which event type color displays for an event
Only one event type color can be displayed for each event. When an event matches multiple event types, the Color for the event type with the best Priority value is displayed. However, for event types grouped with the transaction
command, no color is displayed.
Following from the previous example, here is an example of two events with event type coloration.
Both events match the all_system_errors
event type, which has a Color value of Orange. Events that have all_system_errors
as the dominant event type display with orange event type coloration. One of the events also matches the critical_disk_error
event type, which has a better Priority than all_system_errors
. The critical_disk_error
event type has Color set to Purple, so the event that matches it has purple event type coloration instead of orange.
Define event types in Splunk Web | Automatically find and build event types |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2203, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!