Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I filter data with props and transforms, and how can I only index a specific string?

dpanych
Communicator
‎05-10-2019 08:54 AM

I have a directory which is full of .html webpages. I'd like Splunk to index those html files, but only a specific string of text (if the file contains it). I got as far as having Splunk index the entire file if it contains the string, but now, how can I get Splunk to only index a portion of that file? I've done this in the past but can't seem to remember how it was done. I remember using SEDCMD to remove everything but the specific portion. What am I missing?

Trying to parse out these:
alt text

props.conf

[html]
TRANSFORMS-set = setnull,keepBuildFiles
SEDCMD-removeLines = s/[\r\n]+//g

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[keepBuildFiles]
REGEX = (Total\stime\:\s.*?\<br\>)
DEST_KEY = queue
FORMAT = indexQueue

data -- *answers.splunk.com is decoding the html. Here is raw (https://pastebin.com/ee3srkPM)

======================================================================&lt;br/&gt;
2019-05-07_02:58:29 --- Makefile@abcbuild2 (): src(for_release)&lt;br/&gt;
make[1]: Entering directory `/abc/builds/accrued/zzz/accu_ws/ZZZ_19.4.0_CM_CI/src'&lt;br/&gt;
2019-05-07_02:58:29 --- src/Makefile@abcbuild2 (src): idl(for_release)&lt;br/&gt;
make[2]: Entering directory `/abc/builds/accrued/zzz/accu_ws/ZZZ_19.4.0_CM_CI/src/idl'&lt;br/&gt;
2019-05-07_02:58:29 --- src/idl/Makefile@abcbuild2 (src/idl): idl(for_release)&lt;br/&gt;
Buildfile: /abc/builds/accrued/zzz/accu_ws/ZZZ_19.4.0_CM_CI/src/java/build.xml&lt;br/&gt;
&lt;br/&gt;
build_idl:&lt;br/&gt;
&lt;br/&gt;
find_modified_idl:&lt;br/&gt;
     [exec] New/Updated IDL:&lt;br/&gt;
     [echo] No Modified IDL detected... skipping code generation&lt;br/&gt;
&lt;br/&gt;
BUILD SUCCESSFUL&lt;br/&gt;
Total time: 2 seconds&lt;br/&gt;
Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎05-10-2019 12:30 PM

Like this:

props.conf:

[html]
SEDCMD-removeLines = s/\<br\>//g
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?:\<br\>)*[\r\n\s]+)(?=\d{4}-\d{2}-\d{2}_\d{2}:\d{2}:\d{2})
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d_%H:%M:%S
TRANSFORMS-set = setnull,keepBuildFiles

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[keepBuildFiles]
REGEX = (Total\stime\:\s.*?\<br\>)
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply

dpanych
Communicator
‎05-10-2019 11:59 AM

I was able to get SED working during search time with:

| rex field=_raw mode=sed "s/.*?(\<br\>\d+-\d+-\d+_\d+\:\d+\:\d+\s\-\-\-\sMakefile.*?Buildfile\:\s.*?Total\stime\:\s\d+\s\w+\<br\>).*/\1/g"

But it doesn't seem to work during index-time with props/transforms. Any one see anything wrong with my confs?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...