I have the following types of events in FIX format. This is what they look like in vi or emacs:
M|219620|0|i|I|20100506-16:15:53.443|463|8=FIX.4.4^A9=440^A35=i^A50=FXSpot
M|219621|0|i|I|20100506-16:15:53.444|461|8=FIX.4.4^A9=438^A35=i^A50=FXSpot
For the sake of simplicity, I have discarded the rest of the FIX message for this example. Notice, the ^A as the delimiter between "fields".
After indexing the data in Splunk, the ^A becomes hex \x1 within Splunk Web and Splunk CLI.
M|219620|0|i|I|20100506-16:15:53.443|463|8=FIX.4.4\x19=440\x135=i\x150=FXSpot
M|219621|0|i|I|20100506-16:15:53.444|461|8=FIX.4.4\x19=438\x135=i\x150=FXSpot
My props.conf looks like this:
[FIX]
SHOULD_LINEMERGE = false
KV_MODE = none
REPORT-all = get_all_fields
My transforms.conf looks like this:
[get_all_fields]
DELIMS="\\x1"
FIELDS = "a", "b", "c", "d"
I have tried \\x1, \x1, and \\x01. None of them extract the 4 "fields" in the example. What should the hex value be for the DELIMS to properly break the fields? Is there is a limitation where DELIMS can only take one character? I also tried using "\\", but that did not create any field extraction.