https://community.splunk.com/t5/Getting-Data-In/How-to-change-segmenters-to-make-my-data-working-with-PREFIX/m-p/653897#M110876 <P>Hi,</P><P>I'm trying to use the PREFIX directive in TSTATS (here :&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/Tstats#Use_PREFIX.28.29_to_aggregate_or_group_by_raw_tokens_in_indexed_data" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/Tstats#Use_PREFIX.28.29_to_aggregate_or_group_by_raw_tokens_in_indexed_data</A>).</P><P>In the docs, it says that it can work with data that <STRONG>does not</STRONG> contain major breakers such as spaces.</P><P>My data contains spaces so I decided to try to change the major breakers this way:</P><P><U>props.conf:</U></P><LI-CODE lang="markup">[test_sourcetype] SEGMENTATION = test_segments</LI-CODE><P><U>segmenters.conf:</U></P><LI-CODE lang="markup">[test_segments] MAJOR = \t MINOR = / : = @ . - $ # % \\ _ [ ] &lt; &gt; ( ) { } | ! ; , ' " * \n \r \s &amp; ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29</LI-CODE><P>This way, only the tab (\t) is considered as a major breaker.</P><P>I applied this, restarted and tried to ingest a line of log with the sourcetype "test_sourcetype".</P><P>Unfortunately, it seems the segmenters.conf does not work because it keeps breaking with a space for example.</P><P>I also tried to remove all MINOR and keep only MAJOR, but no luck:</P><P>MAJOR = \t<BR />MINOR =</P><P>&nbsp;</P><P>Have I made a mistake? Is it possible to do what I want? I think so because in this .conf presentation (<A href="https://conf.splunk.com/files/2020/slides/PLA1089C.pdf" target="_blank" rel="noopener">https://conf.splunk.com/files/2020/slides/PLA1089C.pdf</A>) they mention it briefly (page 37).</P><P>Should I also use&nbsp;</P><PRE>SEGMENTATION-&lt;segment selection&gt; = &lt;segmenter&gt;</PRE><P>in props.conf ? The docs says it is for SplunkWeb but I am considering all options...</P><P>Thanks</P> Fri, 11 Aug 2023 07:39:37 GMT cdaviet 2023-08-11T07:39:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-change-segmenters-to-make-my-data-working-with-PREFIX/m-p/653897#M110876 <P>Hi,</P><P>I'm trying to use the PREFIX directive in TSTATS (here :&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/Tstats#Use_PREFIX.28.29_to_aggregate_or_group_by_raw_tokens_in_indexed_data" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/Tstats#Use_PREFIX.28.29_to_aggregate_or_group_by_raw_tokens_in_indexed_data</A>).</P><P>In the docs, it says that it can work with data that <STRONG>does not</STRONG> contain major breakers such as spaces.</P><P>My data contains spaces so I decided to try to change the major breakers this way:</P><P><U>props.conf:</U></P><LI-CODE lang="markup">[test_sourcetype] SEGMENTATION = test_segments</LI-CODE><P><U>segmenters.conf:</U></P><LI-CODE lang="markup">[test_segments] MAJOR = \t MINOR = / : = @ . - $ # % \\ _ [ ] &lt; &gt; ( ) { } | ! ; , ' " * \n \r \s &amp; ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29</LI-CODE><P>This way, only the tab (\t) is considered as a major breaker.</P><P>I applied this, restarted and tried to ingest a line of log with the sourcetype "test_sourcetype".</P><P>Unfortunately, it seems the segmenters.conf does not work because it keeps breaking with a space for example.</P><P>I also tried to remove all MINOR and keep only MAJOR, but no luck:</P><P>MAJOR = \t<BR />MINOR =</P><P>&nbsp;</P><P>Have I made a mistake? Is it possible to do what I want? I think so because in this .conf presentation (<A href="https://conf.splunk.com/files/2020/slides/PLA1089C.pdf" target="_blank" rel="noopener">https://conf.splunk.com/files/2020/slides/PLA1089C.pdf</A>) they mention it briefly (page 37).</P><P>Should I also use&nbsp;</P><PRE>SEGMENTATION-&lt;segment selection&gt; = &lt;segmenter&gt;</PRE><P>in props.conf ? The docs says it is for SplunkWeb but I am considering all options...</P><P>Thanks</P> Fri, 11 Aug 2023 07:39:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-change-segmenters-to-make-my-data-working-with-PREFIX/m-p/653897#M110876 cdaviet 2023-08-11T07:39:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-change-segmenters-to-make-my-data-working-with-PREFIX/m-p/653995#M110884 <P>I am not expert on this but I guess one thing is to run btool and make sure you are getting the settings that you think you are.</P><P>A few months ago I did a quick test to remove double quotes in order that I could use tstats.<BR /><BR />props.conf</P><LI-CODE lang="markup">[my_sourcetype] SEGMENTATION = no_double_quotes</LI-CODE><P>&nbsp;</P><P>segmenters.conf</P><LI-CODE lang="markup">[no_double_quotes] MAJOR = [ ] &lt; &gt; ( ) { } | ! ; , ' * \n \r \s \t &amp; ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29</LI-CODE><P>&nbsp;Then I could search with tstats where I had myfield="123"</P><LI-CODE lang="markup">| tstats count where index=myindex by PREFIX(myfield=)</LI-CODE><P>&nbsp;</P> Fri, 11 Aug 2023 00:02:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-change-segmenters-to-make-my-data-working-with-PREFIX/m-p/653995#M110884 burwell 2023-08-11T00:02:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-change-segmenters-to-make-my-data-working-with-PREFIX/m-p/654020#M110888 <P>Hi burwell, thanks for taking the time to answer.</P><P>I actually ran a test on Splunk Enterprise (was doing it on our SplunkCloud production env) and it works!</P><P>&nbsp;</P><P>So it looks like SplunkCloud does not allow to change this kind of parameters... That's sad.</P><P>&nbsp;</P><P>Anyway, thanks!</P> Fri, 11 Aug 2023 07:25:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-change-segmenters-to-make-my-data-working-with-PREFIX/m-p/654020#M110888 cdaviet 2023-08-11T07:25:16Z