Set the segmentation for event data
By default, Splunk software segments events during indexing to allow for the most flexible searching. There are numerous types of segmentation available, and you can create others if necessary. The type of segmentation that you employ affects indexing speed, search speed, and the amount of disk space the indexes occupy. To learn more about segmentation and the trade-offs between the various types of segmentation, refer to "About segmentation".
Splunk software can also segment events at search time. You can set search-time segmentation in Splunk Web, as described in "Set search-time segmentation in Splunk Web".
If you know how you want to search for or process events from a specific host, source, or source type, you can configure index-time segmentation for that specific type of event. You can also configure search-time segmentation options for specific types of events.
Specify segmentation in props.conf
Specify segmentation for events of particular hosts, sources, or source types by assigning segmentation types to the appropriate stanzas in props.conf
. In the stanzas, you assign segmentation types, or "rules", that have been defined in segmenters.conf. These can either be predefined types (such as inner, outer, or full), or custom types that you've defined. For more information on defining custom types, read "Configure segmentation types".
The attribute you configure in props.conf
to use these types depends on whether you're configuring index-time or search-time segmentation:
- For index-time segmentation, use the
SEGMENTATION
attribute. - For search-time segmentation, use the
SEGMENTATION-<segment selection>
attribute.
You can define either one of the attributes or both together in the stanza.
Add your stanza to $SPLUNK_HOME/etc/system/local/props.conf
.
Index-time segmentation
The SEGMENTATION
attribute determines the segmentation type used at index time. Here's the syntax:
[<spec>] SEGMENTATION = <seg_rule>
[<spec>]
can be:
<sourcetype>
: A source type in your event data.host::<host>
: A host value in your event data.source::<source>
: A source of your event data.
SEGMENTATION = <seg_rule>
- This specifies the type of segmentation to use at index time for
[<spec>]
events. <seg_rule>
- A segmentation type, or "rule", defined in
segmenters.conf
- Common settings are
inner
,outer
,none
, andfull
, but the default file contains other predefined segmentation rules as well. - Create your own custom rule by editing
$SPLUNK_HOME/etc/system/local/segmenters.conf
, as described in "Configure segmentation types".
- A segmentation type, or "rule", defined in
Search-time segmentation
The SEGMENTATION-<segment_selection>
attribute helps determine the segmentation type used at search time. Here's the syntax:
[<spec>] SEGMENTATION-<segment_selection> = <seg_rule>
[<spec>]
can be:
<sourcetype>
: A source type in your event data.host::<host>
: A host value in your event data.source::<source>
: A source of your event data.
SEGMENTATION-<segment_selection> = <seg_rule>
- This specifies the type of segmentation to use at search time in Splunk Web for
[<spec>]
events.
<segment_selection>
can be one of the following:full
,inner
,outer
, orraw
.- These four values are the set of options displayed in the Event segmentation dropdown box in the Results display options panel, invoked from Options directly above search results in Splunk Web.
- Note that these values are just the set of available Splunk Web dropdown options. You use this attribute to specify the actual segmentation type that the option invokes, which might not be of the same name as the dropdown option itself. For example, you could even define the "inner" dropdown option to invoke the "outer" segmentation type, not that you'd likely want to.
- By mapping the dropdown option to a
<seg_rule>
, a user can later specify the option when looking at search results to set search-time segmentation, as described in "Set search-time segmentation in Splunk Web".
<seg_rule>
- A segmentation type, or "rule", defined in
segmenters.conf
- Common settings are
inner
,outer
,none
, andfull
, but the default file contains other predefined segmentation rules as well. - Create your own custom rule by editing
$SPLUNK_HOME/etc/system/local/segmenters.conf
, as described in "Configure segmentation types".
- A segmentation type, or "rule", defined in
Example
This example sets both index-time and search-time segmentation rules for syslog
events.
Add the following to the [syslog]
source type stanza in props.conf
:
[syslog] SEGMENTATION = inner SEGMENTATION-full= inner
This stanza changes the index-time segmentation for all events with a syslog
source type to inner segmentation. It also causes the full
radio button in Splunk Web to invoke inner segmentation for those same events.
Note: You must restart Splunk Enterprise to apply changes to search-time segmentation. You must re-index your data to apply index-time segmentation changes to existing data.
About event segmentation | Set search-time event segmentation in Splunk Web |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!