Documentation > Splunk > Admin Manual > Turn off segment indexing

Admin Manual

 


Overview
Setting Up Data Inputs
Authentication
Changing the Way Splunk Processes Your Data
Creating and Using Configuration Bundles
Configuring Your Sources
Splunk-2-Splunk Management
Integration
Managing Your Filesystem
How-To's

Turn off segment indexing

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Turn off segment indexing

The extreme form of reducing indexing density is to turn off segmentation altogether - the Splunk Server will only index each event's meta data - host, source and sourcetype.


inputs.conf

For example, to turn of tokenization by sourcetype add the following to the bundle's inputs.conf file. 


[tail://var/log/mylog]
_isTokenized = true

All data indexed that is from source /var/log/mylog will not have any of the raw log data indexed. Only source, host, sourcetype and timestamps will be searchable.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.3/Admin/TurnOffSegmentIndexing"

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.