kvParse( ) Query Function

Key-value parse events. This function can run an extra key-value parser on events. It is used to parse key-values of the form:

  • key=value
  • key="value”
  • key='value’

So for a log line like this:

2017-02-22T13:14:01.917+0000 [main thread] INFO UserService - creating new user id=123, name='john doe' email=john@doe

The key-value parser extracts the fields:

  • id: 123
  • name: john doe
  • email: john@doe

Use the field parameter to specify which fields should be key-value parsed. Specify @rawstring to key-value parse the rawstring

Parameters

Name Type Required Default Description
field [string] No @rawstring Fields that should be key-value parsed
as string No Prefix for all resolved field keys
separator string No = The token that separates the key from the value - a single char only.
override bool No false Override existing values for keys that already exist in the event.
excludeEmpty bool No false If the value of a key is empty, exclude the field

field is the unnamed parameter.

Examples

Key-value parse the log line: creating new user id=123, name='john doe’ email=john@doe. This will add the fields id=123, name=john doe’ and email=john@doe` to the event.

kvParse()

Key-value parse the log line: creating new user id=123, name='john doe’ email=john@doe loglevel=ERROR. Assuming the event already has a loglevel field, replacing the value of that field with ERROR requires the override=true parameter.

kvParse(override=true)

Key value parse a nested field. In this example we will use JSON input: {“service”: “paymentService”, “type”: “payment”, “metadata”:“host=server5,transactionID=123,processingTime=100”} and parse out the key-values in the metadata field

parseJSON() | kvParse(metadata)

Key-value parse the log line and export fields with a prefix: creating new user id=123, name='john doe’ email=john@doe. This will add the fields user.id=123, user.name=john doe and user.email=john@doe to the event.

kvParse(as="user")