Splunk breaks the uploaded data into events. Events are the key elements of Splunk search that are further segmented on index time and search time. Basically, segmentation is breaking of events into smaller units classified as major and minor. Segmentation can be explained with the help of the following example.
The complete IP address is a major segment, and a major segment can be further broken down into many minor segments, as shown in the following screenshot:
It is very important to configure event segmentation, as index-time segmentation affects storage size and indexing speed, and search-time segmentation affects the search speed and ability to create searches based on the result of searches on Splunk Web; depending on the need, specific types of segmentation can be configured. Splunk even provides the facility to apply event segmentation on a specific host, source, or source type.
The following are three types of event segmentation that can be configured for index-time and search-time segmentation:
- Inner segmentation: This type of segmentation ensures that the events are broken down into smallest (minor) segments. Inner segmentation leads to fast indexing and searching and less disk usage, but it also leads to the degradation in the lookahead functionality of search prediction while searching in the Splunk Web console.
For example, the IP address
127.0.0.1will be broken as127,0,0and1in the inner segmentation. - Outer segmentation: Outer segmentation is exactly the opposite of inner segmentation. In this segmentation, major segments are not broken down into minor segments. However, it is less efficient than inner segmentation, but it is said to be more efficient than full segmentation. It also leads to restriction of the ability to click on different segments of search results while searching on the Splunk Web Console.
For example, the IP address
127.0.0.1will only be segmented as127.0.0.1. So, to search for any events having the IP address127.0.0, we will have to use wildcards such as127.0.0.*This will result in all the IP addresses starting with127.0.0. - Full segmentation: Full segmentation is a mixture of both inner and outer segmentation. It keeps both major and minor segments. This is said to be the least efficient option for indexing and is more versatile for searching.
For example, the IP address
127.0.0.1will be segmented as127.0.0.1,127.0,127.0.0.
Splunk Enterprise is, by default, configured to the indexing type, which is a combination of outer and inner segmentation for index-time segmentation and full segmentation for search-time segmentation in segmenters.conf located at $SPLUNK_HOME/etc/system/default.
The props.conf can be configured if event segmentation is to be performed on a specific host, source type, or source. The following block can be added to props.conf for the respective event's segmentation. Inner, outer, none, and full are the values that can be configured in the SEGMENTATION attribute.
- Index-time segmentation:
[Source/Sourcetype/Host] SEGMENTATION = <SEGMENTATION_TYPE> # SEGMENTATION_TYPE can be Inner, Outer, None or Full
For better clarity, refer the following example:
[TestTXTUpload] SEGMENTATION = Outer
- Search-time segmentation:
[Source/Sourcetype/Host] SEGMENTATION-<SEGMENT> = <SEGMENTATION_TYPE> # SEGMENTATION_TYPE can be Inner, Outer, None or Full & SEGMENT can be full, inner, outer or raw.
[TestTXTUpload] SEGMENTATION-full = Outer