Solved: Raw data removed space delimiter when using $resul...

elhuynh · ‎07-01-2019

Below is the search result:

1561992871526   CRMCGAES42-CSFBAES42    8=FIX.4.29=35435=834=217543=N49=CSFBAES4250=EXECSVC-26-CANADA52=20190701-14:54:3156=CRMCGAES4257=NCJM97=N6=0.00000011=7266812-1-07543138114=015=CAD17=2831423493120=022=231=0.00000032=037=3O195100007012038=3839=840=244=109.27000048=275438354=155=RY.TO58=ExchangeClosed Trading holiday in CA 60=20190701-14:54:3175=20190701113=N150=8151=010=072

However, when I've used $result.raw$ in the email body, all the spaces are gone. Please help.

1561992871526 CRMCGAES42-CSFBAES42 IN 8=FIX.4.29=35435=834=217543=N49=CSFBAES4250=EXECSVC-26-CANADA52=20190701-14:54:3156=CRMCGAES4257=NCJM97=N6=0.00000011=7266812-1-07543138114=015=CAD17=2831423493120=022=231=0.00000032=037=3O195100007012038=3839=840=244=109.27000048=275438354=155=RY.TO58=ExchangeClosed Trading holiday in CA 60=20190701-14:54:3175=20190701113=N150=8151=010=072

All I want to email the result but do not want to show the search string...I am looking around but did not find anything for that. So now I just want to attach the result (_raw) in the email w/o the result link. However, I ran to another issue with the delimiter.

woodcock · ‎07-03-2019

Those are not spaces, they are some other character. You need to figure out what the characters are and replace them with spaces like this (replace 12345 with the actual hexadecimal value for your character):

... | rex mode=sed "s/\x12345/ /g"

View solution in original post

woodcock · ‎07-03-2019

Those are not spaces, they are some other character. You need to figure out what the characters are and replace them with spaces like this (replace 12345 with the actual hexadecimal value for your character):

... | rex mode=sed "s/\x12345/ /g"

elhuynh · ‎07-10-2019

I've verified the logs and the delimiter is ^A as below.
18=1^A48=BYWMQJ2^A20=0^A21=3^A20001=254900WNB33E53292541^A22=2^A54=1^A55=AYX^A29=1^A59=0^A10=050^A

Hex value of ^ is 5E and A is 41. I did what you've suggested but not sure if it's right syntax since it does not work.

index=fix sourcetype="fix:app:app_log" "39=8"AND "58=*"
| rex mode=sed "s/\x5E41/ /g"
| dedup _raw

woodcock · ‎07-10-2019

should be ASCII=1 so try this:

... | rex mode=sed "s/\x01/ /g"

elhuynh · ‎07-10-2019

It worked. Thanks woodcock!! I found a post to sed multi-characters as below but it did not work.

rex mode=sed "s/^A/ /g"

woodcock · ‎07-10-2019

Great! Be sure to come back here and click Accept to close the question.

Sukisen1981 · ‎07-03-2019

the first search result that you are showing is what? just the _raw event or the result of a search string?

elhuynh · ‎07-03-2019

Hi Sukisen,

The first result is the result of a search string. When the alert is triggered I wanted to send out an email with the first result but "link to results" option showing the search string which I do not want. I've been looking around for a solution but so far I did not find any. I came up with an idea to include $result$ token in the body of the email but all the space delimiters were removed which make it's difficult to read the result.

Thank you,

Raw data removed space delimiter when using $result.raw$

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...