Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Configure custom segmentation for a host, source, or source type

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

Configure custom segmentation for a host, source, or source type

By default, Splunk fully segments events to allow for the most flexible searching. To learn more about segmentation in general, refer tothis page about segmentation.

If you know how you want to search for or process events from a specific host, source, or source type, you can configure custom segmentation for that specific type of event. Configuring custom segmentation for a given host, source, or source type improves indexing and search performance and can reduce index size (on disk).


Configure custom segmentation in props.conf

Configure custom segmentation for events of a host, source, or source type by adding the SEGMENTATION and SEGMENTATION-<segment selection> attributes to a host, source, or source type stanza in props.conf. Assign values to the attributes using rules for index time and search time (Spunk Web) segmentation that are defined in segmenters.conf.

Add your stanza to $SPLUNK_HOME/etc/system/local/props.conf. Specify the following attribute/value pairs: 

[<spec>]
SEGMENTATION = $SEG_RULE
SEGMENTATION-<segment selection> = $SEG_RULE

[<spec>] can be:

  • <sourcetype>: A source type in your event data.
  • host::<host>: A host value in your event data.
  • source::<source>: A source of your event data.

SEGMENTATION = $SEG_RULE

  • Specify the segmentation to use at index time.
  • Set $SEG_RULE to inner, outer, none, or full.

SEGMENTATION-<segment selection> = $SEG_RULE

  • Specify the type of segmentation to use at search time.
  • This only applies to the appearance in Splunk Web.
  • <segment selection> refers to the radio buttons in Splunk Web preferences panel. Map these radio buttons to your custom $SEG_RULE.
  • <segment selection> can be one of the following: all, inner, outer, raw.

$SEG_RULE

  • A segmentation rule defined in segmenters.conf
  • Defaults are inner, outer, none, full.
  • Create your own custom rule by editing $SPLUNK_HOME/etc/system/local/segmenters.conf.
  • For more information on configuring segmenters.conf, see this page.


Example

The following example can increase search performance (in Splunk Web) and reduce the index size of your syslog events.

Add the following to the [syslog] source type stanza in props.conf: 

[syslog]
SEGMENTATION = inner
SEGMENTATION-all = inner

This example changes the segmentation of all events that have sourcetype=syslog to inner segmentation at index time (using the SEGMENTATION attribute), and in Splunk Web (using the SEGMENTATION-<segment selection> attribute).

Note: You must restart Splunk to apply changes to Splunk Web segmentation, and you must re-index your data to apply changes to index time segmentation.

Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/Admin/Configurecustomsegmentationforahost%2Csource%2Corsourcetype"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.