topic Re: Raw data removed space delimiter when using $result.raw$ in Getting Data In

Raw data removed space delimiter when using $result.raw$

elhuynh — Mon, 01 Jul 2019 21:01:12 GMT

Below is the search result:

1561992871526   CRMCGAES42-CSFBAES42    8=FIX.4.29=35435=834=217543=N49=CSFBAES4250=EXECSVC-26-CANADA52=20190701-14:54:3156=CRMCGAES4257=NCJM97=N6=0.00000011=7266812-1-07543138114=015=CAD17=2831423493120=022=231=0.00000032=037=3O195100007012038=3839=840=244=109.27000048=275438354=155=RY.TO58=ExchangeClosed Trading holiday in CA 60=20190701-14:54:3175=20190701113=N150=8151=010=072

However, when I've used $result.raw$ in the email body, all the spaces are gone. Please help.

1561992871526 CRMCGAES42-CSFBAES42 IN 8=FIX.4.29=35435=834=217543=N49=CSFBAES4250=EXECSVC-26-CANADA52=20190701-14:54:3156=CRMCGAES4257=NCJM97=N6=0.00000011=7266812-1-07543138114=015=CAD17=2831423493120=022=231=0.00000032=037=3O195100007012038=3839=840=244=109.27000048=275438354=155=RY.TO58=ExchangeClosed Trading holiday in CA 60=20190701-14:54:3175=20190701113=N150=8151=010=072

All I want to email the result but do not want to show the search string...I am looking around but did not find anything for that. So now I just want to attach the result (_raw) in the email w/o the result link. However, I ran to another issue with the delimiter.

Re: Raw data removed space delimiter when using $result.raw$

Sukisen1981 — Wed, 03 Jul 2019 07:10:37 GMT

the first search result that you are showing is what? just the _raw event or the result of a search string?

Re: Raw data removed space delimiter when using $result.raw$

elhuynh — Wed, 03 Jul 2019 17:52:54 GMT

Hi Sukisen,

The first result is the result of a search string. When the alert is triggered I wanted to send out an email with the first result but "link to results" option showing the search string which I do not want. I've been looking around for a solution but so far I did not find any. I came up with an idea to include $result$ token in the body of the email but all the space delimiters were removed which make it's difficult to read the result.

Thank you,

Re: Raw data removed space delimiter when using $result.raw$

woodcock — Thu, 04 Jul 2019 00:34:22 GMT

Those are not spaces, they are some other character. You need to figure out what the characters are and replace them with spaces like this (replace 12345 with the actual hexadecimal value for your character):

... | rex mode=sed "s/\x12345/ /g"

Re: Raw data removed space delimiter when using $result.raw$

elhuynh — Wed, 10 Jul 2019 17:36:18 GMT

I've verified the logs and the delimiter is ^A as below.
18=1^A48=BYWMQJ2^A20=0^A21=3^A20001=254900WNB33E53292541^A22=2^A54=1^A55=AYX^A29=1^A59=0^A10=050^A

Hex value of ^ is 5E and A is 41. I did what you've suggested but not sure if it's right syntax since it does not work.

index=fix sourcetype="fix:app:app_log" "39=8"AND "58=*"
| rex mode=sed "s/\x5E41/ /g"
| dedup _raw

Re: Raw data removed space delimiter when using $result.raw$

woodcock — Wed, 10 Jul 2019 18:25:09 GMT

should be ASCII=1 so try this:

... | rex mode=sed "s/\x01/ /g"

Re: Raw data removed space delimiter when using $result.raw$

elhuynh — Wed, 10 Jul 2019 22:11:42 GMT

It worked. Thanks woodcock!! I found a post to sed multi-characters as below but it did not work.

rex mode=sed "s/^A/ /g"

Re: Raw data removed space delimiter when using $result.raw$

woodcock — Thu, 11 Jul 2019 05:26:49 GMT

Great! Be sure to come back here and click Accept to close the question.