Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure custom segmentation for a host, source, or source type

By default, Splunk fully segments events to allow for the most flexible searching. To learn more about segmentation in general, refer to this page about segmentation.

If you know how you want to search for or process events from a specific host, source, or sourcetype, you can configure custom segmentation for that specific type of event. Configuring custom segmentation for a given host, source, or sourcetype improves indexing and search performance and can reduce index storage size.

Configure custom segmentation in props.conf

Configure custom segmentation for events of a host, source, or sourcetype by adding the SEGMENTATION and SEGMENTATION-<segment selection> attributes to the appropriate stanza in props.conf. Assign values to the attributes using rules for index-time and search-time (Splunk Web) segmentation defined in segmenters.conf.

Add your stanza to $SPLUNK_HOME/etc/system/local/props.conf. Specify the following attribute/value pairs:

[<spec>]
SEGMENTATION = <segmenter>
SEGMENTATION-<segment selection> = <segmenter>

[<spec>] can be:

  • <sourcetype>: A sourcetype in your event data.
  • host::<host>: A host value in your event data.
  • source::<source>: A source of your event data.

SEGMENTATION = <segmenter>

  • This specifies the segmentation rule ("segmenter") from segmenters.conf to use at index time.

SEGMENTATION-<segment selection> = <segmenter>

  • This setting affects how search results appear in Splunk Web; it does not change the index-time segmentation.
  • This specifies that Splunk Web should use the specified segmenter (from segmenters.conf) for the given <segment selection> choice. The <segment selection> choices appear as segmentation types that the user can select when viewing search results in Splunk Web. Look here for more information.
  • Default <segment selection> choices are: all, inner, outer, and raw.
  • Do not change the set of default <segment selection> choices, unless you have some overriding reason for doing so. In order for a changed set of <segment selection> choices to appear in Splunk Web, you will first need to edit the Splunk Web UI, which you probably will not want to attempt to do. You can, however, change the segmenter that a given <segment selection> calls.

<segmenter>

  • This is a segmentation rule defined in segmenters.conf.
  • Pre-defined default rules include: inner, outer, none, and full.
  • You can create your own custom rule by editing $SPLUNK_HOME/etc/system/local/segmenters.conf.
  • For more information on configuring segmenters.conf, see this page.

Example

The following example can increase search performance and reduce the size of syslog events in your index.

Add the following to the [syslog] source type stanza in props.conf:

[syslog]
SEGMENTATION = inner
SEGMENTATION-all = inner

This changes the segmentation of all events that have a sourcetype of syslog to inner segmentation, both at index time (through the SEGMENTATION attribute) and at search time in Splunk Web (through the SEGMENTATION-<segment selection> attribute).

Note: You must restart Splunk to apply changes to Splunk Web search-time segmentation, and you must re-index your data to apply changes to index-time segmentation.

PREVIOUS
How Splunk stores indexes
  NEXT
Move the index database

This documentation applies to the following versions of Splunk® Enterprise: 4.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters