Priority Management

About priority levels in TrackMe

Hint

Priority levels are an important concept in TrackMe which can easily be leveraged to categorize the importance of your different Splunk feeds, and for instance redirect notifications depending on an entity’s priority level.

• TrackMe supports the following priority levels:

  • critical

  • high

  • medium

  • low

  • pending

• The priority level of an entity is defined by default when discovered, and can be updated per entity, defined by policy, or managed externally.

• Entities are usually filtered when forwarding alerts to a third party, such as email or a ticketing system, based on their priority level.

• Priority is a valuable concept that can be leveraged to reduce noise and alert fatigue. A frequent and recommended practice is to focus on high and critical priorities, while other priorities can be considered over time.

About the pending priority level

• The pending priority is a special priority level added which can be used to qualify newly discovered entities before allowing them to be parts of the alerting framework.

• Especially, when creating alerts, TrackMe calls the following macro: trackme_apply_maintenance_mode_v2 which contains the following exclusion:

``` exclude entities with priority pending ```
| where NOT (priority="pending")

Priority at discovery time

TrackMe applies the priority level at discovery time, which is configurable per Virtual Tenant:

When a Virtual Tenant is created, you can define the default priority that will be applied to entities as they are discovered:

Once the Virtual Tenant is created, you can update the default priority level in the Virtual Tenant’s settings:

Managing priority at the entity level

You can update the priority level of an entity in different ways:

• Click on the 3-dot menu on the entity row and select Priority Management

• Open the entity view, click on the 3-dot menu and select Priority Management

Updating entities in bulk

To update entities in bulk:

• Check the boxes of entities to be updated, or search for a pattern in the search bar and check the top header checkbox to select all matching entities

• The bulk edit buttons appears

• Select Priority Management and the wanted priority level

Managing priority via policy

TrackMe supports the management of priority levels via policy, which can be defined per Virtual Tenant:

• Priority policies allow you to automate priority assignment across entities using regex-based or lookup-based rules.

• Regex-based policies match regular expressions against a configurable entity field (default: the entity name).

• Lookup-based policies leverage existing Splunk lookups (CSV or KVstore) to assign priorities based on field mappings, making it easy to integrate with a CMDB or asset inventory.

• Matching entities are automatically updated with the priority level defined in the policy.

• If multiple policies match a given entity, the highest priority level takes precedence across all policy types.

• An entity managed by policies can still be updated manually, and the policy will not override the manual update.

• TrackMe will show an informational message in the entity screen, displaying the policy managing the entity, the requested priority level, and the effective priority level.

Accessing the policy management screen:

• From any Tenant Home page, click the priority icon in the left-hand panel, then select Manage priority policies

Lookup-based policies

Lookup-based policies leverage existing Splunk lookup transforms (CSV files or KVstore collections) to assign priorities to entities based on field mappings. This is the recommended approach when integrating with an external CMDB, asset inventory, or any structured data source.

Creating a lookup-based policy:

• Click Create new policy and select the Lookup mode

• Enter a policy identifier (or let TrackMe auto-generate one)

• Select a Splunk lookup transform from the dropdown — TrackMe lists all available lookup transforms in your Splunk environment

• Configure field mappings to map lookup fields to entity fields — for example, map the lookup field index to the entity field data_index, and the lookup field host to the entity field object

• Select the priority field — the field in the lookup that contains the priority value

• Optionally configure priority value mappings to translate foreign priority values to TrackMe’s format (e.g., P1 → critical, P2 → high)

• Select the match mode: Exact (case-insensitive string matching) or Wildcard (supports * and ? patterns)

• Click Simulate to preview which entities would be matched and what priorities would be assigned

Data source (dsm) example, with a lookup file containing indexes and their priority:

Data source (dsm) example, with a lookup file containing indexes, sourcetypes and their priority:

Data source (dsm) example, with a lookup file containing sourcetypes and their priority:

Hosts tracking (dhm) example, with a lookup file containing host names and their priority:

Lookup policy configuration details

• Field mappings: Define how lookup fields map to entity fields. All mapped fields must match for an entity to be selected. For example, if you map index → data_index and host → object, both conditions must be satisfied.

• Priority field: The column in the lookup containing the priority value (e.g., a severity or priority column).

• Priority value mappings (optional): If your lookup uses custom values like P1, P2, P3, you can map them to TrackMe priority levels (critical, high, medium, low, pending). If no mappings are configured, the lookup values must already match TrackMe’s priority names.

• Match modes: Exact performs case-insensitive string comparison. Wildcard supports * (matches any characters) and ? (matches a single character) for flexible pattern matching.

Regex-based policies

Regex-based policies match a regular expression pattern against an entity field. When the pattern matches, the configured priority value is assigned to the entity.

Creating a regex-based policy:

• Click Create new policy and select the Regex mode

• Enter a policy identifier (or let TrackMe auto-generate one)

• Enter the regex pattern to match against entities

• Select the match against field — by default, the regex matches against the object field (entity name), but you can choose any available field such as alias, data_index, data_sourcetype, or enter a custom field name

• Select the priority level to assign to matched entities

• Click Simulate to preview which entities would be matched before saving

About the Match against field option

• By default, regex policies match against the object field, which is the entity name.

• You can target any entity field available for the component, such as alias, data_index, data_sourcetype, or even a custom field name.

• This is particularly useful when you want to assign priorities based on entity attributes rather than their names. For example, matching all entities from a specific index using data_index.

Priority hierarchy and conflict resolution

When multiple policies (regex, lookup, or a mix of both) match the same entity, TrackMe applies the highest priority level across all matching policies:

Priority hierarchy (highest to lowest)

Priority Level	Numerical Value
pending	5 (special)
critical	4
high	3
medium	2
low	1

For example, if a regex policy assigns medium and a lookup policy assigns critical to the same entity, the entity will receive the critical priority.

Once a priority is assigned by a policy, TrackMe sets the priority_updated flag on the entity, which prevents the default priority logic from overriding the policy-assigned value during regular evaluation cycles.

Running the policy tracker

After creating one or more policies, you can execute the policy tracker to apply all configured policies to your entities:

• Click the Run policy tracker button in the policy management screen

• TrackMe will evaluate all regex and lookup policies against all entities in the selected component

• A summary of the results is displayed, including the number of entities updated, matched, and any errors encountered

Entities managed by policies

When an entity is managed by a policy, TrackMe displays an informational message in the priority management screen, showing the policy identifier and the requested priority level:

You can still override the priority level manually at the entity level — the policy will not overwrite manual changes.

Accessing entities managed by policies using trackmegetcoll:

Entities managed by policies can be identified using the priority_reason field:

Notes:

• Update the tenant_id and component to match your environment

• The following SPL can be accessed via the “Search table” button in TrackMe’s UI; it leverages the real-time decision maker and TrackMe REST API

| trackmegetcoll tenant_id=feeds-secops component=dsm

| where isnotnull(priority_reason) AND match(priority_reason, "^priority_policy_id:")
| table object, priority, priority_reason

Managing priority externally

TrackMe supports the management of priority levels externally:

• External management allows you to update the priority level of entities using Splunk and any logic of your own.

• Priority policies take precedence over external management.

• If an entity is managed externally, the priority level can still be updated manually, and external management will not override the manual update.

• TrackMe will show an informational message in the entity screen, displaying the external management managing the entity, the requested priority level, and the effective priority level.

Hint

Consider using lookup-based priority policies instead

With the introduction of lookup-based priority policies (see Managing priority via policy), the same use cases previously handled through external priority management can now be achieved directly within TrackMe’s built-in policy framework. Lookup-based policies offer several advantages:

• Easier configuration — no custom SPL searches or scheduled searches to maintain

• Full built-in control — policies are managed, simulated, and applied through the TrackMe UI

• Continuous enforcement — the built-in priority tracker automatically applies policies, ensuring newly discovered entities are handled without delay

• Audit and visibility — policy-managed entities are clearly identified in the UI with their associated policy

External priority management remains available for advanced use cases requiring custom logic beyond what policies can express.

Example of SPL:

• Update the tenant_id

• Update the search to match your needs, lookup files and logic

In this example, the lookup field contains the index names which we use as the lookup key to define the priority_external field.

| inputlookup trackme_dsm_tenant_feeds-secops | eval keyid=_key

``` In this example, we leverage a Splunk lookup file referencing indexes and used to define the field priority_external ```
| lookup feeds_priorities.csv index as data_index OUTPUT priority as priority_external
| where isnotnull(priority_external)

``` The field priority_reason will be used by TrackMe to display an informational message ```
| eval priority_reason="lookup: feeds_priorities.csv"

``` Finally, the KVstore records will be updated; schedule this search so that any newly discovered entity will retrieve the expected externally managed priority ```
| outputlookup append=t key_field=keyid trackme_dsm_tenant_feeds-secops

In this example, the lookup field contains both index and sourcetypenames which we use as the lookup key to define the priority_external field.

| inputlookup trackme_dsm_tenant_feeds-secops | eval keyid=_key

``` In this example, we leverage a Splunk lookup file referencing indexes and used to define the field priority_external ```
| lookup feeds_priorities.csv index as data_index, sourcetype as data_sourcetype OUTPUT priority as priority_external
| where isnotnull(priority_external)

``` The field priority_reason will be used by TrackMe to display an informational message ```
| eval priority_reason="lookup: feeds_priorities.csv"

``` Finally, the KVstore records will be updated; schedule this search so that any newly discovered entity will retrieve the expected externally managed priority ```
| outputlookup append=t key_field=keyid trackme_dsm_tenant_feeds-secops

TrackMe automatically detects that the priority is externally managed, and will show an informational message when accessing the priority management screen, either on a per entity basis or via bulk edit:

Entities managed by policies can be identified using the priority_policy_id field:

Notes:

• Update the tenant_id

• The following SPL can be accessed via the “Search table” button in TrackMe’s UI; it leverages the real-time decision maker and TrackMe REST API

| trackmegetcoll tenant_id=feeds-secops component=dsm

| where isnotnull(priority_external)
| table object, priority*

Additional priority related resources

Updating entities in SPL and REST API

You can also update the priority level of entities using SPL and the REST API, or by any other means that can interact with the REST API:

Example of SPL:

| trackme url="/services/trackme/v2/splk_dsm/write/ds_update_priority" mode="post" body="{'tenant_id': 'demo-priority', 'priority': 'high', 'object_list': 'eventgen-waf:akamai:cm:json,eventgen-waf:websense:cg:kv'}"