FixProtocol delimiter confusion

Ramesh_Janagam · November 18, 2016, 11:34am

Hi All,

We are processing FIX protocol messages in logstash( without Fix protocol plugin). but still I am not able to figure out 'delimiter'. We know its '\001' in ascii but still it not working. In logstash its displaying as '\u' so tried that also but still not parsed in kv plugin.

We are replacing '\u' with pipe.

mutate {
     #gsub => [ "message", "\\u(?:[0-1])", "|"]
     #gsub => [ "message", "\\(?:[u001]{5})", "|"]
     gsub => [ "message", "\\u", "|"]
  }    
  grok {
    match => [ "message", "%{TIME:logtime} \<%{NUMBER:threadid}\> RECV: %{GREEDYDATA:app_data}" ]
  }

  kv {
     source => ["app_data"]
     field_split => "|"
  }

any suggestion please?

Tribbles · November 22, 2016, 9:01am

Hi Ramesh,

had the same Problem in processing FIX Logfiles. You already are on the correct track, so to say.

The solution I use ist to first of all get rid of the HEX01 Delimiter:

mutate {
gsub => [
"message", "\x01", "^"
]
}

After this, you can split up the fields like this:

# split each of these filed with Key = Value and set new fields by the name of Key
kv {
  field_split => "^"
  source => "message"
}
# drop the heartbeat messages
if [35] == "0" {
  drop { }
}
# And now we rename some fields to be more verbose ...
mutate {
  rename => [ "35", "MsgType" ]
}

Hope this helps,

Thorsten

Topic		Replies	Views
Why is my logstash skipping delimiter in dissect mapping? Logstash	1	355	July 30, 2018
Logstack dissect missing delimiter Logstash	2	426	April 11, 2018
Problems to parse "/" character Logstash	2	391	January 30, 2018
Parsing the string with not specific delimeters Logstash	4	525	November 22, 2016
A question about separator in logstash Logstash	5	287	July 3, 2023

FixProtocol delimiter confusion

Related topics