Problems to parse "/" character

lucasbiccio · January 30, 2018, 12:34pm

Hi all,

I'm using logstash to parse a FIX string message into a index data tag by tag. Check the following configuration:

if "fix" in [tags]
{
	grok 
	{
		match => { "message" => "%{GREEDYDATA:direction} %{GREEDYDATA:timestamp} %{GREEDYDATA:fix_string}" }
	}
	kv 
	{
		source => "fix_string"
		field_split => "\x01"
	}
}

The filter is working properly, except when we have a text with a "/" inside the message.
For the example below, logstash is considering the content util "/" as the direction attribute, but it belows o the fix_string attribute.

IN 20180130-11:45:29.924351900 8=FIX.4.49=51935=834=15852=20180130-11:41:59.0631=9999316=014=032=037=NONE38=539=840=244=8490054=258=Short position [1.00] exceeds limit [0.00] for Equivalent Instrument / [ID(50885),SIDE(2),RATIO(1.00)]59=060=20180130-11:41:59103=10020150=8151=5453=4448=6074660447=D452=36447=D452=54448=85447=D452=7447=D452=3310=077

Does anybody have and idea to solve this issue?

magnusbaeck · January 30, 2018, 12:55pm

Don't use more than one DATA or GREEDYDATA pattern in the same expression. It's very inefficient and can lead to unexpected matches, possibly including this one. Use a more exact expression like for example %{NOTSPACE} %{NOTSPACE} %{GREEDYDATA}.

lucasbiccio · January 30, 2018, 5:09pm

Fit like a glove!
Thank you very much for your assistance.
Regards,

Biccio

system · February 27, 2018, 5:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.