ISO8601 Segmenter Configuration
Overview
Details
i.e. it's no longer possible to search for terms like '2018'. Normal search by time of course still works.
This app will not work in Splunk Cloud. It modifies the `segmenters.conf` and this only supported in on-premises deployments.
This package contains a segmenters.conf for ISO8601 datetime stamps.
After enabling this, Splunk will ignore ISO8601 timestamps at the start of an event in its indexing process.
The timestamp will be correctly interpreted, _time will be set, but the timestamp will not go in the free text search index.
Example, in the following log entry:
2018-10-14T10:54:12+00:00 hostname liblogging-stdlog: [origin software="rsyslogd" swVersion="8.24.0" x-pid="19060" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Terms like 2018, 10, 14T10, 54, 12, etc will not appear in the index and will not be searchable.
Installation and Configuration
To enable, reference it in props.conf. It cannot be configured from the Splunk GUI.
This Add-On needs to be installed on indexers only.
[syslog]
SEGMENTATION = iso8601or
[source:/var/log/remote/*/*/*.log]
SEGMENTATION = iso8601See also: https://www.duanewaddle.com/splunk-bucket-lexicons-and-segmentation/
Release Notes
Version 1.0
This package contains segmenter.conf for ISO8601 datetime stamps.
After enabling this, Splunk will ignore ISO8601 timestamps at the start of an event in its indexing process.
The time will be correctly interpreted, _time will be set, but the timestamp will not go in the free text search index.
To enable, reference it in props.conf. It cannot be configured from the Splunk GUI.
[syslog]
SEGMENTATION = iso8601
or
[source:/var/log/remote/*/*/*.log]
SEGMENTATION = iso8601
See also:
# https://www.duanewaddle.com/splunk-bucket-lexicons-and-segmentation/