Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Example5: string "search "35=*" AND "49=oil" | rex "(?<Message>8=FIX.+\x0110=\d{3}\x01)" | search Message != '' | table Message" 

Explanation:

part of expressiondescription
searchIn splunk it is a command for search. In FIXEye it is a mandatory word meaning usage of splunk syntax in search string. 
"35=*" AND "49=oil"An expression defining what we want to find. Quotes mean that we want to search text pattern not a splunk field. * means any symbol. AND is logical conjunction. Expression means find patterns containing both 35=* and 49=oil
|a pipeline symbol - results from the output of previous processing step are put to the input of next step 
rexfield extraction command. It takes as an input a regular expression, searches in the result of previous step and puts the search result in a field 
"(?<Message>8=FIX.+\x0110=\d{3}\x01)"

Input for rex command. Regular expression providing extraction of FIX message (which start with 8=FIX and ends with SOH10=any3digitsSOH sequence).

<Message> is the name of a field containing extracted FIX message put in brackets.  

search Message !=''

search for FIX messages that are not empty ('' is two apostrophes). Message is the name from the previous pipeline step

table Message

Pick only Message group from all groups that is in the output of previous pipeline step


The search result is shown below.

...

  1. "Connection is not added" error. You can see exclamation marks on the right side of the fields. When pointer is over the mark pop-up explanations can be seen.
    Incorrect URL - change URL, it must have correct form, e.g. https https://localhost:8089 for local machine. 
    User name can't be empty - put in valid user name
    Password can't be empty - put in password for user
  2. "Error occurred while parsing messages (in Details: 401 Unauthorized Warning: login failed  )" error - Check user name and password in connection properties

...