Key-value parse events. This function can run an extra key-value parser on events. It is used to parse key-values of the form:
key=valuekey="value"key='value'key = value
Both key and value can be either quoted using " or
', or unquoted.
For a log line like this:
2017-02-22T13:14:01.917+0000 [main thread] INFO UserService - creating new user id=123, name='john doe' email=john@doeThe key-value parser extracts the fields:
id=123
name='john doe'
email=john@doe
Use the parameter field to specify which fields
should be key-value parsed. Specifying @rawstring to
key-value parse the rawstring.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
as | string | false | Prefix for all resolved field keys. | |
excludeEmpty | boolean | false | If the value of a key is empty, exclude the field. | |
field | [string] | false | @rawstring | Fields that should be key-value parsed. [a] |
override | boolean | false | Override existing values for keys that already exist in the event. | |
separator | string | false | The token that separates the key from the value — a single char only. | |
separatorPadding | string | false | unknown | Help the function recognize unquoted empty values and parse them by specifying whether there is a whitespace around the key-value separator (typically =). |
kvParse() Examples
Key-value parse the log line:
creating new user id=123, name='john doe' email=john@doe.This will add the fields id=123, name='john doe' and email=john@doe to the event:
kvParse()Key-value parse the log line:
creating new user id=123, name='john doe' email=john@doe loglevel=ERROR.
Assuming the event already has a loglevel field,
replacing the value of that field with ERROR requires the
override=true parameter:
kvParse(override=true)Key-value parse a nested field. In this example we will use JSON input:
{"service": "paymentService", "type": "payment", "metadata":"host=server5,transactionID=123,processingTime=100"}and parse out the key-values in the metadata field:
parseJSON()
| kvParse(metadata)Key-value parse the log line and export fields with a prefix:
creating new user id=123, name='john doe' email=john@doe.This will add the fields user.id=123, user.name='john doe' and user.email=john@doe to the event:
kvParse(as="user")Key-value parse the log line:
firstname = John middlename = lastname = DoeThis will add the fields firstname=John, middleName= (empty value) and lastname=Doe to the event:
kvParse(separatorPadding="yes")