This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
Once you have configured segmentation rules in segmenters.conf, assign these rules to a specific host, source, or sourcetype via props.conf. Create a stanza in props.conf, designating your desired host, source or sourcetype, and then add the two required keys - the [segmentation=] key and the [segmentation-all=] key. These keys must refer to the segmentation rules you have created in $SPLUNK_HOME/etc/bundles/local/segmenters.conf or rules that already exist in $SPLUNK_HOME/etc/bundles/default/segmenters.conf.
[<spec>] SEGMENTATION = $SEG_RULE SEGMENTATION-all = $SEG_RULE2
<spec> can be:
$SEG_RULE and $SEG_RULE2 refer to the segmentation rules you have created in segmenters.conf. They can be different or the same.
Add the following to $SPLUNK_HOME/etc/bundles/local/props.conf:
[syslog] SEGMENTATION = inner SEGMENTATION-all = inner
This example changes all syslog data to inner segmentation.