Splunk breaks the uploaded data into events. Events are the key elements of Splunk search that are further segmented on index time and search time. Basically, segmentation is breaking of events into smaller units classified as major and minor. Segmentation can be explained with the help of the following example.
The complete IP address is a major segment, and a major segment can be further broken down into many minor segments, as shown in the following screenshot:
It is very important to configure event segmentation, as index-time segmentation affects storage size and indexing speed, and search-time segmentation affects the search speed and ability to create searches based on the result of searches on Splunk Web; depending on the need, specific types of segmentation can be configured. Splunk even provides the facility to apply event segmentation on a specific host, source, or source type.
The following are three types of event segmentation that can be configured for index-time and search-time segmentation:
For example, the IP address 127.0.0.1
will be broken as 127
, 0
, 0
and 1
in the inner segmentation.
For example, the IP address 127.0.0.1
will only be segmented as 127.0.0.1
. So, to search for any events having the IP address 127.0.0
, we will have to use wildcards such as 127.0.0.*
This will result in all the IP addresses starting with 127.0.0
.
For example, the IP address 127.0.0.1
will be segmented as 127.0.0.1
, 127.0
, 127.0.0
.
Splunk Enterprise is, by default, configured to the indexing type, which is a combination of outer and inner segmentation for index-time segmentation and full segmentation for search-time segmentation in segmenters.conf
located at $SPLUNK_HOME/etc/system/default
.
The props.conf
can be configured if event segmentation is to be performed on a specific host, source type, or source. The following block can be added to props.conf
for the respective event's segmentation. Inner
, outer
, none
, and full
are the values that can be configured in the SEGMENTATION
attribute.
[Source/Sourcetype/Host] SEGMENTATION = <SEGMENTATION_TYPE> # SEGMENTATION_TYPE can be Inner, Outer, None or Full
For better clarity, refer the following example:
[TestTXTUpload] SEGMENTATION = Outer
[Source/Sourcetype/Host] SEGMENTATION-<SEGMENT> = <SEGMENTATION_TYPE> # SEGMENTATION_TYPE can be Inner, Outer, None or Full & SEGMENT can be full, inner, outer or raw.
[TestTXTUpload] SEGMENTATION-full = Outer
3.144.187.103