Splunk Segmenter config for ISO8601 dates

less than 1 minute read

Recently I read an excellent article by Duane Waddle on splunk bucket lexicons and segmentation.

This inspired to put a small app on SplunkBase that improves the default settings to ignore ISO8601 date and time stamps in the searchable lexicon in Splunk.

Practically this means Splunk will stop indexing parts of the timestamp, and you can no longer search for terms like 2018. Because this significantly reduces the index, this should save you a good amount of disk space.

The app is available as ISO8601 Segmenter Configuration and full source is at the github repository.