extractkv search command
This search command extracts name=value pairs from raw event data depending on the delimiters specified. By default, name=value pairs are automatically extracted by the product, assuming the equals sign (=) as the separator. But when you run this command, name=value pairs are extracted depending on the options specified (kvdelim
and pairdelim
). Specifying these options is optional.
Note
If you run the command without specifying an option, even though the search results look unchanged, the name=value pairs are overridden and are displayed as virtual fields.
You can use this command to extract name=value pairs using other delimiters. A delimiter can be any character by which you extract name=value pairs (kvdelim
) and name=value pair sets (pairdelim
). You can use multiple characters as delimiters for extracting name=value pairs and name=value pair sets.
If you specify an option without its value, then by default a space ( ) is assumed as the delimiter for extracting name=value pair sets and the equals sign (=) is assumed as the delimiter for extracting name=value pairs. You can optionally limit the number of name=value pair sets to be extracted by using the limit
parameter (the default is 50).
This topic contains the following information:
For a list of all search commands, see Search commands.
Syntax
extractkv [pairdelim="<Delimiters>"] [kvdelim="<Delimiters>"] [limit=<int>]
In the preceding syntax, the following definitions apply:
- [Expression] indicates it is optional.
pairdelim="<Delimiters>"
indicates the option for specifying the delimiters that separate name=value pair sets.kvdelim="<Delimiters>"
indicates the option for specifying the delimiters that separate name=value pairs.limit=<int>
indicates the integer value to use for limiting the number of name=value pairs and name=value pair sets.
Short examples
Example 1: Extract name=value pairs where the name=value pair delimiter and name=value pair sets delimiter are set to default.
... | extractkv
Example 2: Extract name=value pair sets separated by pipe and semi-colon (|;), where the delimiter for pairdelim
(name=value pair sets) and limit
options are set to default.
... | extractkv pairdelim="|;"
Example 3: Extract name=value pairs separated by colon (:), where the delimiter for kvdelim
option (name=value pairs) is set to default.
... |
extractkv kvdelim=":"
Example 4: Extract a maximum of ten name=value pairs where the delimiter for kvdelim
(name=value pairs) and the delimiter for pairdelim
(name=value pair sets) are set to default.
... | extractkv limit=10
Example 5: Extract name=value pairs separated by colon and equals sign (:=) and name=value pair sets separated by comma and semi-colon (,;).
... | extractkv pairdelim=",;" kvdelim=":="
Long examples
The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the extract
kv
command.
Sample data
ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; |
Sample indexed data
ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; HOST=my-server.bmc.com |count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text without Timestamp | COLLECTOR=x.txt |
extractkv with default values
In this example, you use the command to extract:
- name=value pairs separated by equals sign (=)
- name=value pair sets separated by space ( )
Command
extractkv
Output
ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; HOST=my-server.bmc.com |count=12|COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text without Timestamp | COLLECTOR=x.txt |
pairdelim
In this example, you use the command to extract name=value pair sets separated by semicolon (;)
Command
extractkv pairdelim=";"
Output
ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; HOST=my-server.bmc.com |count=12|COLLECTOR_NAME=log_data |searchId=1401867925702| DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt |
kvdelim
In this example, you use the command to extract name=value pairs separated by colon (:)
Command
extractkv kvdelim=":"
Output
ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt |
pairdelim and kvdelim
In this example, you use the command to extract:
- name=value pair sets separated by semicolon (;)
- name=value pairs separated by colon (:)
Command
extractkv pairdelim=";" kvdelim=":"
Output
ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt |
kvdelim and limit
In this example, you use the command to extract a maximum of two name=value pairs separated by either colon (:) or equals sign (=)
Command
extractkv limit=2 kvdelim=":="
Output
ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt |
pairdelim and kvdelim with multiple values and limit
In this example, you use the command to extract:
- maximum of two name=value pair sets separated by either comma (,) or semicolon (;)
- maximum of two name=value pairs separated by either colon (:) or equals sign (=)
Command
extractkv pairdelim=",;" kvdelim=":=" limit=2
Output
ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt |
pairdelim and kvdelim with multiple values
In this example, you use the command to extract:
- name=value pair sets separated by either comma (,) or semicolon (;)
- name=value pairs separated by either colon (:) or equals sign (=)
Command
extractkv pairdelim=",;" kvdelim=":="
Output
ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12 startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|endTime=1401690599999|DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt |
Comments
Log in or register to comment.