extractkv

This search command extracts name=value pairs from raw event data depending on the delimiters specified. By default, name=value pairs are automatically extracted by the product, assuming the equal-to sign (=) as the separator. But when you run this command, name=value pairs are extracted depending on the options specified (kvdelim and pairdelim). Specifying the options is optional. If you run the command without specifying an option, even though the search results look unchanged, the name=value pairs are overridden and are displayed as virtual fields.

You can use this command to extract name=value pairs using other delimiters. A delimiter can be any character by which you extract name=value pairs (kvdelim) and name=value pair sets (pairdelim). You can use multiple characters as delimiters for extracting name=value pairs and name=value pair sets.

If you specify an option without its value, then by default a space ( ) is assumed as the delimiter for extracting name=value pair sets and the equal-to sign (=) is assumed as the delimiter for extracting name=value pairs. You can optionally limit the number of name=value pair sets to be extracted by using the limit parameter (the default is 50).

This topic contains the following information:

For a list of all search commands, see Search commands.

Syntax

extractkv [pairdelim="<Delimiters>"] [kvdelim="<Delimiters>"] [limit=<int>]

In the preceding syntax, the following definitions apply:

[Expression] indicates it is optional.
pairdelim="<Delimiters>" indicates the option for specifying the delimiters that separate name=value pair sets.
kvdelim="<Delimiters>" indicates the option for specifying the delimiters that separate name=value pairs.
limit=<int> indicates the integer value to use for limiting the number of name=value pairs and name=value pair sets.

Short examples

Example 1: Extract name=value pairs where the name=value pair delimiter and name=value pair sets delimiter are set to default.

... | extractkv

Example 2: Extract name=value pair sets separated by "|;" where the name=value pair sets delimiter and limit are set to default.

... | extractkv pairdelim="|;"

Example 3: Extract name=value pairs separated by ":" where the name=value pair sets delimiter is set to default.

... | extractkv kvdelim=":"

Example 4: Extract a maximum of ten name=value pairs where the name=value pair delimiter and name=value pair sets delimiter are set to default.

... | extractkv limit=10

Example 5: Extract name=value pairs separated by ":=" and name=value pair sets separated by ",;".

... | extractkv pairdelim=",;" kvdelim=":="

Long examples

The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the extractkv command.

Sample data

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; 
count=12; from startTime:1401688800000, endTime : 1401690599999

Back to examples ↑

Sample indexed data

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; 
count=12; from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

extractkv with default values

In this example, you use the command to extract:

name=value pairs separated by equal-to sign (=)
name=value pair sets separated by space ( )

Command

extractkv

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |count=12;|COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

pairdelim

In this example, you use the command to extract name=value pair sets separated by semicolon (;)

Command

extractkv pairdelim=";"

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |count=12|COLLECTOR_NAME=log_data |searchId=1401867925702,|DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

kvdelim

In this example, you use the command to extract name=value pairs separated by colon (:)

Command

extractkv kvdelim=":"

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
from startTime:1401688800000, endTime : 1401690599999

startTime=1401688800000,|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

pairdelim and kvdelim

In this example, you use the command to extract:

name=value pair sets separated by semicolon (;)
name=value pairs separated by colon (:)

Command

extractkv pairdelim=";" kvdelim=":"

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
from startTime:1401688800000, endTime : 1401690599999

startTime=1401688800000,|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

kvdelim and limit

In this example, you use the command to extract a maximum of two name=value pairs separated by either colon (:) or equal-to sign (=)

Command

extractkv limit=2 kvdelim=":="

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12;|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

pairdelim and kvdelim with multiple values and limit

In this example, you use the command to extract:

maximum of two name=value pair sets separated by either comma (,) or semicolon (;)
maximum of two name=value pairs separated by either colon (:) or equal-to sign (=)

Command

extractkv pairdelim=",;" kvdelim=":=" limit=2

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

pairdelim and kvdelim with multiple values

In this example, you use the command to extract:

name=value pair sets separated by either comma (,) or semicolon (;)
name=value pairs separated by either colon (:) or equal-to sign (=)

Command

extractkv pairdelim=",;" kvdelim=":="

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
from startTime:1401688800000, endTime : 1401690599999

startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|endTime=1401690599999|DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

Page tree

Syntax

Short examples

Long examples

Sample data

Sample indexed data

HOST=my-server.bmc.com |count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

extractkv with default values

Command

Output

HOST=my-server.bmc.com |count=12;|COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

pairdelim

Command

Output

HOST=my-server.bmc.com |count=12|COLLECTOR_NAME=log_data |searchId=1401867925702,|DATA_PATTERN=Free Text |COLLECTOR=x.txt

kvdelim

Command

Output

startTime=1401688800000,|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

pairdelim and kvdelim

Command

Output

startTime=1401688800000,|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

kvdelim and limit

Command

Output

HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12;|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text |COLLECTOR=x.txt

pairdelim and kvdelim with multiple values and limit

Command

Output

HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text |COLLECTOR=x.txt

pairdelim and kvdelim with multiple values

Command

Output

startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|endTime=1401690599999|DATA_PATTERN=Free Text |COLLECTOR=x.txt

Related topics