Set the segmentation for event data

By default, Splunk software segments events during indexing to allow for the most flexible searching. There are numerous types of segmentation available, and you can create others if necessary. The type of segmentation that you perform affects indexing speed, search speed, and the amount of disk space that indexes occupy. To learn more about segmentation and the trade-offs between the various types of segmentation, see About event segmentation.

Splunk software can also segment events at search time. You can set search-time segmentation in Splunk Web, as described in Set search-time event segmentation in Splunk Web.

If you know how you want to search for or process events from a specific host, source, or source type, you can configure index-time segmentation for that specific type of event. You can also configure search-time segmentation options for specific types of events.

To set the segmentation for event data using Splunk Cloud, you must configure a universal forwarder on the machine where you want to change the segmentation, and the use the props.conf configuration file to set the segmentation. Depending on the type of segmentation you want to do, you might also need to file a Splunk Support ticket.

Specify segmentation in the props.conf file

The props.conf configuration file lets you specify segmentation for events of particular hosts, sources, or source types by assigning segmentation types to the appropriate stanzas. In the stanzas, you assign segmentation types, or rules, that have been defined in the segmenters.conf file. To learn more about the segmenters.conf file, see segmenters.conf. These rules can be predefined segmentation types, such as inner, outer, or full, or custom types that you define. For more information on defining custom types, see Configure segmentation types.

The setting you configure in the props.conf file to use these segmentation types depends on whether you're configuring index-time or search-time segmentation:

• For index-time segmentation, use the SEGMENTATION setting.
• For search-time segmentation, use the SEGMENTATION-<segment selection> setting.

You can define one or both of the settings in the stanza in the $SPLUNK_HOME/etc/system/local/props.conf file.

Set index-time segmentation

The SEGMENTATION setting determines the segmentation type that Splunk software uses at index time. The syntax is as follows:

[<spec>]
SEGMENTATION = <segmentation_rule>

[<spec>] can be one of the following elements:

• <sourcetype>: A source type in your event data.
• host::<host>: A host value in your event data.
• source::<source>: A source of your event data.

SEGMENTATION = <segmentation_rule> specifies the type of segmentation to use at index time for [<spec>] events.

<segmentation_rule> is a segmentation type, or rule, as defined in the segmenters.conf configuration file. The most common settings are inner, outer, none, and full, but the default file contains other predefined segmentation rules as well. You can create your own custom rule by editing the $SPLUNK_HOME/etc/system/local/segmenters.conf file, as described in Configure segmentation types.

Set search-time segmentation

The SEGMENTATION-<segment_selection> setting helps determine the segmentation type used at search time. The syntax is as follows:

[<spec>]
SEGMENTATION-<segment_selection> = <segmentation_rule>

[<spec>] can be one of the following elements:

• <sourcetype>: A source type in your event data.
• host::<host>: A host value in your event data.
• source::<source>: A source of your event data.

SEGMENTATION-<segment_selection> = <segmentation_rule> specifies the type of segmentation to use at search time in Splunk Web for [<spec>] events.

<segment_selection> can have the full, inner, outer, or raw values. These four values are the set of options that appear in the Event segmentation drop-down menu in the Results display options panel, invoked from the Options above the search results in Splunk Web. Use this setting to specify the actual segmentation type that the option invokes, which might not be of the same name as the drop-down menu option itself. For example, you could define the inner drop-down menu option to invoke the outer segmentation type.

By mapping the drop-down menu option to a <segmentation_rule>, you can later specify the option when looking at search results to set search-time segmentation, as described in Set search-time segmentation in Splunk Web.

<segmentation_rule> is a segmentation type, or rule, as defined in the segmenters.conf file. The most common settings are inner, outer, none, and full, but the default file contains other predefined segmentation rules as well. You can create your own custom rule by editing the $SPLUNK_HOME/etc/system/local/segmenters.conf file, as described in "Configure segmentation types".

Example

This example sets both index-time and search-time segmentation rules for syslog events.

Add the following to the [syslog] source type stanza in the props.conf file:

[syslog]
SEGMENTATION = inner
SEGMENTATION-full= inner

This stanza changes the index-time segmentation for all events with a syslog source type to inner segmentation. It also causes the full radio button in Splunk Web to invoke inner segmentation for those same events.

You must restart Splunk Enterprise to apply changes to search-time segmentation. You must re-index your data to apply index-time segmentation changes to existing data.