Parse Key-Value Pairs With Override

Extract key-value pairs from text allowing field overrides using the kvParse() function with override parameter

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] result{{Result Set}} repo --> 1 1 --> result
logscale
kvParse(field=message, override=true)

Introduction

The kvParse() function can be used to parse key-value pairs from text fields and create new fields from them. When used with the override parameter, it allows new fields to overwrite existing fields with the same names.

In this example, the kvParse() function is used with the override parameter to extract key-value pairs from a message field, with the ability to override any existing fields that have matching names.

Example incoming data might look like this:

@timestampsourcestatusmessage
2025-08-06T10:00:00Zwebserver1200user=john.doe status=active role=admin sessionID=12345
2025-08-06T10:00:01Zwebserver2404user=jane.smith status=inactive role=user sessionID=67890
2025-08-06T10:00:02Zwebserver1500user=bob.wilson status=blocked role=guest sessionID=11111
2025-08-06T10:00:03Zwebserver3200user=alice.jones status=active role=admin sessionID=22222
2025-08-06T10:00:04Zwebserver2200user=mike.brown status=pending role=user sessionID=33333

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    kvParse(field=message, override=true)

    Parses key-value pairs from the message field containing key-value formatted text.

    The field parameter specifies which field contains the key-value pairs to parse. The override parameter set to true allows the parsed values to overwrite any existing fields with matching names. Without the override parameter, the function would skip creating fields that already exist in the event.

  3. Event Result set.

Summary and Results

The query is used to extract structured fields from key-value formatted text while allowing the new values to replace existing field values.

This query is useful, for example, to parse log messages containing key-value pairs where the extracted values should take precedence over existing fields, or when reprocessing events where field values need to be updated from the message content.

Sample output from the incoming example data:

@timestampsourcemessageuserstatusrolesessionID
2025-08-06T10:00:00Zwebserver1user=john.doe status=active role=admin sessionID=12345john.doeactiveadmin12345
2025-08-06T10:00:01Zwebserver2user=jane.smith status=inactive role=user sessionID=67890jane.smithinactiveuser67890
2025-08-06T10:00:02Zwebserver1user=bob.wilson status=blocked role=guest sessionID=11111bob.wilsonblockedguest11111
2025-08-06T10:00:03Zwebserver3user=alice.jones status=active role=admin sessionID=22222alice.jonesactiveadmin22222
2025-08-06T10:00:04Zwebserver2user=mike.brown status=pending role=user sessionID=33333mike.brownpendinguser33333

Note that the original status field values are overwritten by the parsed values from the message, and new fields (user, role, sessionID) are created from the parsed key-value pairs.