parsekv
Parses a key-value pair string in a text field and extracts each key as a field.
Command properties
| Item | Description |
|---|---|
| Command type | Processing query |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Supported |
| Distributed execution | Not supported |
Syntax
parsekv [field=FIELD] [overlay={t|f}] [pairdelim=DELIM] [kvdelim=DELIM]
Options
field=FIELD- Name of the field to parse (default:
line) overlay={t|f}- When set to
t, preserves the original record's fields and overlays the parsed fields onto them. When omitted, outputs only the parsed fields. (default:f) pairdelim=DELIM- String used to delimit key-value pairs. Cannot be empty. (default:
" ") kvdelim=DELIM- String used to delimit keys and values. Cannot be empty. (default:
"=")
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| 22800 | missing-parsekv-pairdelim | The pairdelim option value is empty |
| 22801 | missing-parsekv-kvdelim | The kvdelim option value is empty |
Description
The parsekv command splits the string in the specified field using pairdelim, then splits each token into a key and value using kvdelim, and extracts each as a field.
Examples
-
Parsing basic key-value pairs
json "{'line': 'src=192.0.2.1 src_port=55324 dst=198.51.100.2 dst_port=80'}" | parsekvParses space-delimited
key=valuepairs and creates thesrc,src_port,dst, anddst_portfields. -
Parsing with custom delimiters
json "{'line': 'name:logpresso;version:4;type:siem'}" | parsekv pairdelim=";" kvdelim=":"Uses semicolons (
;) to delimit pairs and colons (:) to delimit keys and values.