• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC TrueSight IT Data Analytics 2.1

    Page tree

    This search command extracts name=value pairs from raw event data depending on the delimiters specified. By default, name=value pairs are automatically extracted by the product, assuming the equals sign (=) as the separator. But when you run this command, name=value pairs are extracted depending on the options specified (kvdelim and pairdelim). Specifying these options is optional.

    Note

    If you run the command without specifying an option, even though the search results look unchanged, the name=value pairs are overridden and are displayed as virtual fields.

    You can use this command to extract name=value pairs using other delimiters. A delimiter can be any character by which you extract name=value pairs (kvdelim) and name=value pair sets (pairdelim). You can use multiple characters as delimiters for extracting name=value pairs and name=value pair sets.

    If you specify an option without its value, then by default a space ( ) is assumed as the delimiter for extracting name=value pair sets and the equals sign (=) is assumed as the delimiter for extracting name=value pairs. You can optionally limit the number of name=value pair sets to be extracted by using the limit parameter (the default is 50).

    This topic contains the following information:

    For a list of all search commands, see Search commands.

    Related topics

    Syntax

    extractkv [pairdelim="<Delimiters>"] [kvdelim="<Delimiters>"] [limit=<int>]

    In the preceding syntax, the following definitions apply:

    • [Expression] indicates it is optional.

    • pairdelim="<Delimiters>" indicates the option for specifying the delimiters that separate name=value pair sets.

    • kvdelim="<Delimiters>" indicates the option for specifying the delimiters that separate name=value pairs.

    • limit=<int> indicates the integer value to use for limiting the number of name=value pairs and name=value pair sets.

    Short examples

    Example 1: Extract name=value pairs where the name=value pair delimiter and name=value pair sets delimiter are set to default.

    ... | extractkv 

    Example 2: Extract name=value pair sets separated by pipe and semi-colon (|;), where the delimiter for pairdelim (name=value pair sets) and limit options are set to default.

    ... | extractkv pairdelim="|;" 

    Example 3: Extract name=value pairs separated by colon (:), where the delimiter for kvdelim option (name=value pairs) is set to default.

    ... | extractkv kvdelim=":" 

    Example 4: Extract a maximum of ten name=value pairs where the delimiter for kvdelim (name=value pairs) and the delimiter for pairdelim (name=value pair sets) are set to default.

    ... | extractkv limit=10 

    Example 5: Extract name=value pairs separated by colon and equals sign (:=) and name=value pair sets separated by comma and semi-colon (,;).

    ... | extractkv pairdelim=",;" kvdelim=":="

    Long examples

    The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the extractkv command. 

    Sample data

    ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; 
    count=12; from startTime:1401688800000, endTime : 1401690599999

    Back to examples ↑

    Sample indexed data

    ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; 
    count=12; from startTime:1401688800000, endTime : 1401690599999
    HOST=my-server.bmc.com |count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |
    DATA_PATTERN=Free Text without Timestamp | COLLECTOR=x.txt

    Back to examples ↑

    extractkv with default values

    In this example, you use the command to extract:

    • name=value pairs separated by equals sign (=)
    • name=value pair sets separated by space ( )

    Command

    extractkv

    Output

    ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
    from startTime:1401688800000, endTime : 1401690599999
    HOST=my-server.bmc.com |count=12|COLLECTOR_NAME=log_data |searchId=1401867925702 |
    DATA_PATTERN=Free Text without Timestamp | COLLECTOR=x.txt

    Back to examples ↑

    pairdelim

    In this example, you use the command to extract name=value pair sets separated by semicolon (;)

    Command

    extractkv pairdelim=";"

    Output

    ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
    from startTime:1401688800000, endTime : 1401690599999
    HOST=my-server.bmc.com |count=12|COLLECTOR_NAME=log_data |searchId=1401867925702| DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

    Back to examples ↑

    kvdelim

    In this example, you use the command to extract name=value pairs separated by colon (:)

    Command

    extractkv kvdelim=":"

    Output

    ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
    from startTime:1401688800000, endTime : 1401690599999
    startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

    Back to examples ↑

    pairdelim and kvdelim

    In this example, you use the command to extract:

    • name=value pair sets separated by semicolon (;)
    • name=value pairs separated by colon (:)

    Command

    extractkv pairdelim=";" kvdelim=":"

    Output

    ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
    from startTime:1401688800000, endTime : 1401690599999
    startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

    Back to examples ↑

    kvdelim and limit

    In this example, you use the command to extract a maximum of two name=value pairs separated by either colon (:) or equals sign (=)

    Command

    extractkv limit=2 kvdelim=":="

    Output

    ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
    from startTime:1401688800000, endTime : 1401690599999
    HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

    Back to examples ↑

    pairdelim and kvdelim with multiple values and limit

    In this example, you use the command to extract:

    • maximum of two name=value pair sets separated by either comma (,) or semicolon (;)
    • maximum of two name=value pairs separated by either colon (:) or equals sign (=)

    Command

    extractkv pairdelim=",;" kvdelim=":=" limit=2

    Output

    ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
    from startTime:1401688800000, endTime : 1401690599999
    HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

    Back to examples ↑

    pairdelim and kvdelim with multiple values

    In this example, you use the command to extract:

    • name=value pair sets separated by either comma (,) or semicolon (;)
    • name=value pairs separated by either colon (:) or equals sign (=)

    Command

    extractkv pairdelim=",;" kvdelim=":="

    Output

    ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12; 
    from startTime:1401688800000, endTime : 1401690599999
    startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|endTime=1401690599999|DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

    Back to examples ↑

    © Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.