This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
You can set up segmenters.conf to work with a specific host, source, or sourcetype by configuring props.conf. Create a stanza in props.conf, designating your desired host, source or sourcetype, and then add the two required keys - the [SEGMENTATION=] key and the [SEGMENTATION-all=] key. These keys must refer to the segmentation rules you have created in $SPLUNK_HOME/etc/bundles/local/segmenters.conf or rules that already exist in $SPLUNK_HOME/etc/bundles/default/segmenters.conf.
Important: SEGMENTATION must be fully capitalized.
[<spec>] SEGMENTATION = $SEG_RULE SEGMENTATION-all = $SEG_RULE2
<spec> can be:
$SEG_RULE and $SEG_RULE2 refer to the segmentation rules you have created in segmenters.conf. They can be different or the same.
Add the following to $SPLUNK_HOME/etc/bundles/local/props.conf:
[syslog] SEGMENTATION = inner SEGMENTATION-all = inner
This will change all syslog data to use inner segmentation.