Is it possible to search for FIX messages, like 35=i? Because it handles the = sign not a character and find every 35 and i, even if put it into commas?
You may need to analyze the messages using something other than the default analyzer (you'd specify this in your ES mappings).
For instance, it seems that the whitespace analyzer would do the right thing:
curl -XGET -d "a=12 b=34" http://localhost:9200/_analyze?analyzer=whitespace
{
"tokens":[
{
"token":"a=12",
"start_offset":0,
"end_offset":4,
"type":"word",
"position":0
},
{
"token":"b=34",
"start_offset":5,
"end_offset":9,
"type":"word",
"position":1
}
]
}
Hi Daniel,
regarding the FIX Messages I have some experience which I hope can be of help to you.
First of all, you will need to parse out the FIX String out into a variable,
As the next step, you replace the seperator (HEX 01) with a more common character like so:
mutate {
gsub => [
"message", "\x01", "^"
]
}
Then, you can split up all the fields with the kv filter like this:
# Now split each of these filed with Key = Value and set new fields by the name of Key
kv {
field_split => "^"
source => "fix_message"
}
Then I usually drop the FIX Heartbeats ...
# And drop the heartbeat messages
if [35] == "0" {
drop { }
}
# And now we rename some fields to be more verbose ...
mutate {
rename => [ "35", "MsgType" ]
}
This way, you can search your FIX Message like this : "MsgType:A" for authentication messages.
Hope this helps,
Thorsten