- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is the search result:
1561992871526 CRMCGAES42-CSFBAES42 8=FIX.4.29=35435=834=217543=N49=CSFBAES4250=EXECSVC-26-CANADA52=20190701-14:54:3156=CRMCGAES4257=NCJM97=N6=0.00000011=7266812-1-07543138114=015=CAD17=2831423493120=022=231=0.00000032=037=3O195100007012038=3839=840=244=109.27000048=275438354=155=RY.TO58=ExchangeClosed Trading holiday in CA 60=20190701-14:54:3175=20190701113=N150=8151=010=072
However, when I've used $result.raw$ in the email body, all the spaces are gone. Please help.
1561992871526 CRMCGAES42-CSFBAES42 IN 8=FIX.4.29=35435=834=217543=N49=CSFBAES4250=EXECSVC-26-CANADA52=20190701-14:54:3156=CRMCGAES4257=NCJM97=N6=0.00000011=7266812-1-07543138114=015=CAD17=2831423493120=022=231=0.00000032=037=3O195100007012038=3839=840=244=109.27000048=275438354=155=RY.TO58=ExchangeClosed Trading holiday in CA 60=20190701-14:54:3175=20190701113=N150=8151=010=072
All I want to email the result but do not want to show the search string...I am looking around but did not find anything for that. So now I just want to attach the result (_raw) in the email w/o the result link. However, I ran to another issue with the delimiter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those are not spaces, they are some other character. You need to figure out what the characters are and replace them with spaces like this (replace 12345
with the actual hexadecimal value for your character):
... | rex mode=sed "s/\x12345/ /g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those are not spaces, they are some other character. You need to figure out what the characters are and replace them with spaces like this (replace 12345
with the actual hexadecimal value for your character):
... | rex mode=sed "s/\x12345/ /g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've verified the logs and the delimiter is ^A as below.
18=1^A48=BYWMQJ2^A20=0^A21=3^A20001=254900WNB33E53292541^A22=2^A54=1^A55=AYX^A29=1^A59=0^A10=050^A
Hex value of ^ is 5E and A is 41. I did what you've suggested but not sure if it's right syntax since it does not work.
index=fix sourcetype="fix:app:app_log" "39=8"AND "58=*"
| rex mode=sed "s/\x5E41/ /g"
| dedup _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
should be ASCII=1 so try this:
... | rex mode=sed "s/\x01/ /g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked. Thanks woodcock!! I found a post to sed multi-characters as below but it did not work.
rex mode=sed "s/^A/ /g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! Be sure to come back here and click Accept
to close the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the first search result that you are showing is what? just the _raw event or the result of a search string?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sukisen,
The first result is the result of a search string. When the alert is triggered I wanted to send out an email with the first result but "link to results" option showing the search string which I do not want. I've been looking around for a solution but so far I did not find any. I came up with an idea to include $result$ token in the body of the email but all the space delimiters were removed which make it's difficult to read the result.
Thank you,