segmenters.conf

segmenters.conf

segmenters.conf defines schemes for how events will be tokenized in Splunk's index. These schemes are applied to events from particular sources, hosts or sourcetypes via props.conf.

segmenters.conf.spec

# This file contains possible attribute/value pairs for configuring segmentation of events in 
# segementers.conf.
#
# You can configure Splunk's method of segmenting indexed data and data to be displayed
# in SplunkWeb by creating your own segmenters.conf.
# There is a segmenters.conf in $SPLUNK_HOME/etc/bundles/default/.  To set custom configurations, 
# place a segmenters.conf in your own custom bundle directory.
#
[SegmenterName]
	* Name your stanza.
 	* Follow this stanza name with any number of the following attribute/value pairs.
 	* If you don't specify an attribute/value pair, Splunk will use the default.
MAJOR = <space separated list of strings>
	* Set major breakers.
 	* Major breakers are words, phrases or terms in your data that are surrounded by breaking characters.
 	* By default, major breakers are set to most characters and blank spaces.
    * Typically, major breakers are single characters.
    * Default is [ ] < > ( ) { } | ! ; , ' " * \n \r \s \t & ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29
    * Please note: \s represents the space; \n, the newline; \r, the carriage return; and \t, the tab.
MINOR = <space separated list of strings>
  	* Set minor breakers.
  	* In addition to the segments specified by the major breakers, for each minor breaker found, 
  	Splunk will index the token from the last major breaker to the current minor breaker and
    from the last minor breaker to the current minor breaker.
    * Default is / : = @ . - $ # % \\ _
FILTER = <regular expression>
 	* If set, segmentation will only take place if the regular expression matches. 
    * Furthermore, segmentation will only take place on the first group of the matching regex.
    * Default is empty.
LOOKAHEAD = <integer>
  	* Set how far into a given event (in characters) Splunk will segment.
 	* If filter is set as well, this is applied after filtration.
  	* Set this to 0 to turn off segmentation entirely.
  	* Defaults to -1.
MINOR_LEN = <integer>
  	* Specify how long a minor token can be. 
  	* Longer minor tokens are discarded without prejudice.
 	* Defaults to -1.
MAJOR_LEN = <integer>
  	* Specify how long a major token can be. 
  	* Longer major tokens are discarded without prejudice.
  	* Defaults to -1.
MINOR_COUNT = <integer>
  	* Specify how many minor segments are created per event.
  	* After the specified number of minor tokens have been created, later ones will be
    discarded without prejudice.
    * Defaults to -1.
MAJOR_COUNT = <integer>
  	* Specify how many major segments are created per event. 
  	* After the pecified number of major segments have been created, later ones will be
    discarded without prejudice.
    * Default to -1.

segmenters.conf.example

# The following are examples of segmentation configurations.
#
# To use one or more of these configurations, copy the configuration block into
# segmenters.conf in your own custom bundle.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
# Example of a segmenter that doesn't index the date as segments in syslog data:
[syslog]
FILTER = ^.*?\d\d:\d\d:\d\d\s+\S+\s+(.*)$
# Example of a segmenter that only indexes the first 256b of events:
[limited-reach]
LOOKAHEAD = 256
# Example of a segmenter that only indexes the first line of an event:
[first-line]
FILTER = ^(.*?)(\n|$)
# Turn segmentation off completely:
[no-segmentation]
LOOKAHEAD = 0

• Was this topic useful?
• Post a comment