About event segmentation
Segmentation breaks events up into searchable segments at index time, and again at search time.
Segments can be classified as major or minor. Minor segments are breaks within major segments. For example, the IP address
192.0.2.223 is a major segment. But this major segment can be broken down into minor segments, such as "
192", as well as groups of minor segments like "
You can define how detailed the event segmentation should be. This is important because index-time segmentation affects indexing and search speed, storage size, and the ability to use typeahead functionality (where Splunk Web provides items that match text you type into the Search bar). Search-time segmentation, on the other hand, affects search speed and the ability to create searches by selecting items from the results displayed in Splunk Web.
For more information about the distinction between "index time" and "search time," see "Index time versus search time" in the Managing Indexers and Clusters manual.
If you have Splunk Enterprise, you configure index-time segmentation on the indexer or heavy forwarder machines, and search-time segmentation on the search head.
If you have Splunk Cloud, you configure index-time segmentation on heavy forwarder machines, and must file a Support ticket to configure search-time segmentation.
Types of event segmentation
There are three main types, or levels, of segmentation, configurable at index or search time:
- Inner segmentation breaks events down into the smallest minor segments possible. For example, when an IP address such as
192.0.2.223goes through inner segmentation, it is broken down into
223. Setting inner segmentation at index time leads to faster indexing and searching and reduced disk usage. However, it restricts the typeahead functionality, so that a user can only type ahead at the minor segment level.
- Outer segmentation is the opposite of inner segmentation. Under outer segmentation, Splunk software only indexes major segments. For example, the IP address
192.0.2.223gets indexed as
192.0.2.223, which means that you cannot search on individual pieces of the phrase. You can still use wildcards, however, to search for pieces of a phrase. For example, you can search for
192.0*and you will get any events that have IP addresses that start with
192.0. Also, outer segmentation disables the ability to click on different segments of search results, such as the
192.0segment of the same IP address. Outer segmentation tends to be marginally more efficient than full segmentation, while inner segmentation tends to be much more efficient.
- Full segmentation is a combination of inner and outer segmentation. Under full segmentation, the IP address is indexed both as a major segment and as a variety of minor segments, including minor segment combinations like
192.0.2. This is the least efficient indexing option, but it provides the most versatility in terms of searching.
segmenters.conf file, located in
$SPLUNK_HOME/etc/system/default, defines all available segmentation types. By default, index-time segmentation is set to the
indexing type, which is a combination of inner and outer segmentation. Search-time segmentation is set to full segmentation.
The most space-efficient segmentation setting is to disable segmentation completely. This has significant implications for search, however. By disabling segmentation, you restrict searches to indexed fields, such as time, source, host, and source type. Searches for keywords will return no results. You must pipe your searches through the search command to further restrict results. Use this setting only if you do not need any advanced search capability.
Configure segmentation types
segmenters.conf defines segmentation types. You can define custom segmentation types, if necessary.
For information on the types of segmentation available by default, look at the
segmenters.conf file in
Important: Do not modify the default file. If you want to make changes to the existing segmentation stanzas or create new ones altogether, you can copy the default file to
$SPLUNK_HOME/etc/system/local/ or to a custom app directory in
$SPLUNK_HOME/etc/apps/. For information on configuration files and directory locations, see "About configuration files".
Set segmentation types for specific hosts, sources, or source types
You can configure index-time and search-time segmentation to apply to specific hosts, sources, or source types. If you run searches that involve a particular source type on a regular basis, you could use this capability to improve the performance of those searches. Similarly, if you typically index a large number of
syslog events, you could use this feature to help decrease the overall disk space that those events take up.
For details about how to apply segmentation types to specific event categories, see "Set the segmentation for event data".
Rename source types at search time
Set the segmentation for event data
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0