Splunk Cloud Platform

Getting Data In

Set the segmentation for event data

By default, Splunk software segments events during indexing to allow for the most flexible searching. There are numerous types of segmentation available, and you can create others if necessary. The type of segmentation that you employ affects indexing speed, search speed, and the amount of disk space the indexes occupy. To learn more about segmentation and the trade-offs between the various types of segmentation, refer to "About segmentation".

Splunk software can also segment events at search time. You can set search-time segmentation in Splunk Web, as described in "Set search-time segmentation in Splunk Web".

If you know how you want to search for or process events from a specific host, source, or source type, you can configure index-time segmentation for that specific type of event. You can also configure search-time segmentation options for specific types of events.

Specify segmentation in props.conf

Specify segmentation for events of particular hosts, sources, or source types by assigning segmentation types to the appropriate stanzas in props.conf. In the stanzas, you assign segmentation types, or "rules", that have been defined in segmenters.conf. These can either be predefined types (such as inner, outer, or full), or custom types that you've defined. For more information on defining custom types, read "Configure segmentation types".

The attribute you configure in props.conf to use these types depends on whether you're configuring index-time or search-time segmentation:

  • For index-time segmentation, use the SEGMENTATION attribute.
  • For search-time segmentation, use the SEGMENTATION-<segment selection> attribute.

You can define either one of the attributes or both together in the stanza.

Add your stanza to $SPLUNK_HOME/etc/system/local/props.conf.

Index-time segmentation

The SEGMENTATION attribute determines the segmentation type used at index time. Here's the syntax:

[<spec>]
SEGMENTATION = <seg_rule>

[<spec>] can be:

  • <sourcetype>: A source type in your event data.
  • host::<host>: A host value in your event data.
  • source::<source>: A source of your event data.

SEGMENTATION = <seg_rule>

  • This specifies the type of segmentation to use at index time for [<spec>] events.
  • <seg_rule>
    • A segmentation type, or "rule", defined in segmenters.conf
    • Common settings are inner, outer, none, and full, but the default file contains other predefined segmentation rules as well.
    • Create your own custom rule by editing $SPLUNK_HOME/etc/system/local/segmenters.conf, as described in "Configure segmentation types".

Search-time segmentation

The SEGMENTATION-<segment_selection> attribute helps determine the segmentation type used at search time. Here's the syntax:

[<spec>]
SEGMENTATION-<segment_selection> = <seg_rule>

[<spec>] can be:

  • <sourcetype>: A source type in your event data.
  • host::<host>: A host value in your event data.
  • source::<source>: A source of your event data.

SEGMENTATION-<segment_selection> = <seg_rule>

  • This specifies the type of segmentation to use at search time in Splunk Web for [<spec>] events.
  • <segment_selection> can be one of the following: full, inner, outer, or raw.
    • These four values are the set of options displayed in the Event segmentation dropdown box in the Results display options panel, invoked from Options directly above search results in Splunk Web.
    • Note that these values are just the set of available Splunk Web dropdown options. You use this attribute to specify the actual segmentation type that the option invokes, which might not be of the same name as the dropdown option itself. For example, you could even define the "inner" dropdown option to invoke the "outer" segmentation type, not that you'd likely want to.
    • By mapping the dropdown option to a <seg_rule>, a user can later specify the option when looking at search results to set search-time segmentation, as described in "Set search-time segmentation in Splunk Web".
  • <seg_rule>
    • A segmentation type, or "rule", defined in segmenters.conf
    • Common settings are inner, outer, none, and full, but the default file contains other predefined segmentation rules as well.
    • Create your own custom rule by editing $SPLUNK_HOME/etc/system/local/segmenters.conf, as described in "Configure segmentation types".

Example

This example sets both index-time and search-time segmentation rules for syslog events.

Add the following to the [syslog] source type stanza in props.conf:

[syslog]
SEGMENTATION = inner
SEGMENTATION-full= inner

This stanza changes the index-time segmentation for all events with a syslog source type to inner segmentation. It also causes the full radio button in Splunk Web to invoke inner segmentation for those same events.

Note: You must restart Splunk Enterprise to apply changes to search-time segmentation. You must re-index your data to apply index-time segmentation changes to existing data.

Last modified on 21 July, 2016
About event segmentation   Set search-time event segmentation in Splunk Web

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters