Configure custom segmentation for a host, source, or source type
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Configure custom segmentation for a host, source, or source type
By default, Splunk fully segments events to allow for the most flexible searching. To learn more about segmentation in general, refer to this page about segmentation.
If you know how you want to search for or process events from a specific host, source, or source type, you can configure custom segmentation for that specific type of event. Configuring custom segmentation for a given host, source, or source type improves indexing and search performance and can reduce index size (on disk).
Configure custom segmentation in props.conf
Configure custom segmentation for events of a host, source, or source type by adding the SEGMENTATION and SEGMENTATION-<segment selection> attributes to a host, source, or source type stanza in props.conf. Assign values to the attributes using rules for index time and search time (Splunk Web) segmentation that are defined in segmenters.conf.
Add your stanza to $SPLUNK_HOME/etc/system/local/props.conf. Specify the following attribute/value pairs:
[<spec>] SEGMENTATION = $SEG_RULE SEGMENTATION-<segment selection> = $SEG_RULE
[<spec>] can be:
-
<sourcetype>: A source type in your event data. -
host::<host>: A host value in your event data. -
source::<source>: A source of your event data.
SEGMENTATION = $SEG_RULE
- Specify the segmentation to use at index time.
- Set
$SEG_RULEto inner, outer, none, or full.
SEGMENTATION-<segment selection> = $SEG_RULE
- Specify the type of segmentation to use at search time.
- This only applies to the appearance in Splunk Web.
-
<segment selection>refers to the radio buttons in Splunk Web preferences panel. Map these radio buttons to your custom$SEG_RULE. -
<segment selection>can be one of the following: all, inner, outer, raw.
$SEG_RULE
- A segmentation rule defined in
segmenters.conf - Defaults are inner, outer, none, full.
- Create your own custom rule by editing
$SPLUNK_HOME/etc/system/local/segmenters.conf. - For more information on configuring
segmenters.conf, see this page.
Example
The following example can increase search performance (in Splunk Web) and reduce the index size of your syslog events.
Add the following to the [syslog] source type stanza in props.conf:
[syslog] SEGMENTATION = inner SEGMENTATION-all = inner
This example changes the segmentation of all events that have sourcetype=syslog to inner segmentation at index time (using the SEGMENTATION attribute), and in Splunk Web (using the SEGMENTATION-<segment selection> attribute).
Note: You must restart Splunk to apply changes to Splunk Web segmentation, and you must re-index your data to apply changes to index time segmentation.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.
Comments
More examples of different types would be nice!
Could you suggest some types of examples you'd like to see? Also, the 4.1.4 version of this topic has been rewritten to a large extent. You might find that it provides a clearer explanation of how to use this feature.
Thanks,
Steve G. (writer at Splunk)