<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How do I filter data  with props and transforms, and how can I only index a specific string? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-data-with-props-and-transforms-and-how-can-I/m-p/451220#M78253</link>
    <description>&lt;P&gt;I was able to get SED working during search time with:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| rex field=_raw mode=sed "s/.*?(\&amp;lt;br\&amp;gt;\d+-\d+-\d+_\d+\:\d+\:\d+\s\-\-\-\sMakefile.*?Buildfile\:\s.*?Total\stime\:\s\d+\s\w+\&amp;lt;br\&amp;gt;).*/\1/g"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;But it doesn't seem to work during index-time with props/transforms. Any one see anything wrong with my confs?&lt;/P&gt;</description>
    <pubDate>Fri, 10 May 2019 18:59:25 GMT</pubDate>
    <dc:creator>dpanych</dc:creator>
    <dc:date>2019-05-10T18:59:25Z</dc:date>
    <item>
      <title>How do I filter data  with props and transforms, and how can I only index a specific string?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-data-with-props-and-transforms-and-how-can-I/m-p/451219#M78252</link>
      <description>&lt;P&gt;I have a directory which is full of .html webpages. I'd like Splunk to index those html files, but only a specific string of text (if the file contains it). I got as far as having Splunk index the entire file if it contains the string, but now, how can I get Splunk to only index a portion of that file? I've done this in the past but can't seem to remember how it was done. I remember using SEDCMD to remove everything but the specific portion. What am I missing?&lt;/P&gt;

&lt;P&gt;Trying to parse out these:&lt;BR /&gt;
&lt;span class="lia-inline-image-display-wrapper" image-alt="alt text"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/7030iCDED6EC5BB51C85D/image-size/large?v=v2&amp;amp;px=999" role="button" title="alt text" alt="alt text" /&gt;&lt;/span&gt;&lt;/P&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[html]
TRANSFORMS-set = setnull,keepBuildFiles
SEDCMD-removeLines = s/[\r\n]+//g
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[keepBuildFiles]
REGEX = (Total\stime\:\s.*?\&amp;lt;br\&amp;gt;)
DEST_KEY = queue
FORMAT = indexQueue
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;data -- *answers.splunk.com is decoding the html. Here is raw (&lt;A href="https://pastebin.com/ee3srkPM"&gt;https://pastebin.com/ee3srkPM&lt;/A&gt;)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;======================================================================&amp;amp;lt;br/&amp;amp;gt;
2019-05-07_02:58:29 --- Makefile@abcbuild2 (): src(for_release)&amp;amp;lt;br/&amp;amp;gt;
make[1]: Entering directory `/abc/builds/accrued/zzz/accu_ws/ZZZ_19.4.0_CM_CI/src'&amp;amp;lt;br/&amp;amp;gt;
2019-05-07_02:58:29 --- src/Makefile@abcbuild2 (src): idl(for_release)&amp;amp;lt;br/&amp;amp;gt;
make[2]: Entering directory `/abc/builds/accrued/zzz/accu_ws/ZZZ_19.4.0_CM_CI/src/idl'&amp;amp;lt;br/&amp;amp;gt;
2019-05-07_02:58:29 --- src/idl/Makefile@abcbuild2 (src/idl): idl(for_release)&amp;amp;lt;br/&amp;amp;gt;
Buildfile: /abc/builds/accrued/zzz/accu_ws/ZZZ_19.4.0_CM_CI/src/java/build.xml&amp;amp;lt;br/&amp;amp;gt;
&amp;amp;lt;br/&amp;amp;gt;
build_idl:&amp;amp;lt;br/&amp;amp;gt;
&amp;amp;lt;br/&amp;amp;gt;
find_modified_idl:&amp;amp;lt;br/&amp;amp;gt;
     [exec] New/Updated IDL:&amp;amp;lt;br/&amp;amp;gt;
     [echo] No Modified IDL detected... skipping code generation&amp;amp;lt;br/&amp;amp;gt;
&amp;amp;lt;br/&amp;amp;gt;
BUILD SUCCESSFUL&amp;amp;lt;br/&amp;amp;gt;
Total time: 2 seconds&amp;amp;lt;br/&amp;amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Fri, 10 May 2019 15:54:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-data-with-props-and-transforms-and-how-can-I/m-p/451219#M78252</guid>
      <dc:creator>dpanych</dc:creator>
      <dc:date>2019-05-10T15:54:53Z</dc:date>
    </item>
    <item>
      <title>Re: How do I filter data  with props and transforms, and how can I only index a specific string?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-data-with-props-and-transforms-and-how-can-I/m-p/451220#M78253</link>
      <description>&lt;P&gt;I was able to get SED working during search time with:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| rex field=_raw mode=sed "s/.*?(\&amp;lt;br\&amp;gt;\d+-\d+-\d+_\d+\:\d+\:\d+\s\-\-\-\sMakefile.*?Buildfile\:\s.*?Total\stime\:\s\d+\s\w+\&amp;lt;br\&amp;gt;).*/\1/g"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;But it doesn't seem to work during index-time with props/transforms. Any one see anything wrong with my confs?&lt;/P&gt;</description>
      <pubDate>Fri, 10 May 2019 18:59:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-data-with-props-and-transforms-and-how-can-I/m-p/451220#M78253</guid>
      <dc:creator>dpanych</dc:creator>
      <dc:date>2019-05-10T18:59:25Z</dc:date>
    </item>
    <item>
      <title>Re: How do I filter data  with props and transforms, and how can I only index a specific string?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-data-with-props-and-transforms-and-how-can-I/m-p/451221#M78254</link>
      <description>&lt;P&gt;Like this:&lt;/P&gt;

&lt;P&gt;props.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[html]
SEDCMD-removeLines = s/\&amp;lt;br\&amp;gt;//g
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?:\&amp;lt;br\&amp;gt;)*[\r\n\s]+)(?=\d{4}-\d{2}-\d{2}_\d{2}:\d{2}:\d{2})
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d_%H:%M:%S
TRANSFORMS-set = setnull,keepBuildFiles
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[keepBuildFiles]
REGEX = (Total\stime\:\s.*?\&amp;lt;br\&amp;gt;)
DEST_KEY = queue
FORMAT = indexQueue
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Fri, 10 May 2019 19:30:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-data-with-props-and-transforms-and-how-can-I/m-p/451221#M78254</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2019-05-10T19:30:09Z</dc:date>
    </item>
  </channel>
</rss>

