Configure custom segmentation for a host, source, or source type
By default, Splunk fully segments events to allow for the most flexible searching. To learn more about segmentation in general, refer to this page about segmentation.
If you know how you want to search for or process events from a specific host, source, or sourcetype, you can configure custom segmentation for that specific type of event. Configuring custom segmentation for a given host, source, or sourcetype improves indexing and search performance and can reduce index storage size.
Configure custom segmentation in props.conf
Configure custom segmentation for events of a host, source, or sourcetype by adding the
SEGMENTATION-<segment selection> attributes to the appropriate stanza in
props.conf. Assign values to the attributes using rules for index-time and search-time (Splunk Web) segmentation defined in
Add your stanza to
$SPLUNK_HOME/etc/system/local/props.conf. Specify the following attribute/value pairs:
[<spec>] SEGMENTATION = <segmenter> SEGMENTATION-<segment selection> = <segmenter>
[<spec>] can be:
<sourcetype>: A sourcetype in your event data.
host::<host>: A host value in your event data.
source::<source>: A source of your event data.
SEGMENTATION = <segmenter>
- This specifies the segmentation rule ("segmenter") from
segmenters.confto use at index time.
SEGMENTATION-<segment selection> = <segmenter>
- This setting affects how search results appear in Splunk Web; it does not change the index-time segmentation.
- This specifies that Splunk Web should use the specified segmenter (from
segmenters.conf) for the given
<segment selection>choice. The
<segment selection>choices appear as segmentation types that the user can select when viewing search results in Splunk Web. Look here for more information.
<segment selection>choices are: all, inner, outer, and raw.
- Do not change the set of default
<segment selection>choices, unless you have some overriding reason for doing so. In order for a changed set of
<segment selection>choices to appear in Splunk Web, you will first need to edit the Splunk Web UI, which you probably will not want to attempt to do. You can, however, change the segmenter that a given
- This is a segmentation rule defined in
- Pre-defined default rules include: inner, outer, none, and full.
- You can create your own custom rule by editing
- For more information on configuring
segmenters.conf, see this page.
The following example can increase search performance and reduce the size of syslog events in your index.
Add the following to the
[syslog] source type stanza in
[syslog] SEGMENTATION = inner SEGMENTATION-all = inner
This changes the segmentation of all events that have a sourcetype of
syslog to inner segmentation, both at index time (through the
SEGMENTATION attribute) and at search time in Splunk Web (through the
SEGMENTATION-<segment selection> attribute).
Note: You must restart Splunk to apply changes to Splunk Web search-time segmentation, and you must re-index your data to apply changes to index-time segmentation.
How Splunk stores indexes
Move the index database
This documentation applies to the following versions of Splunk® Enterprise: 4.3