extractkv

This search command extracts name=value pairs from raw event data depending on the delimiters specified. By default, name=value pairs are automatically extracted by the product, assuming the equal-to sign (=) as the separator. But when you run this command, name=value pairs are extracted depending on the options specified (kvdelim and pairdelim). Specifying the options is optional. If you run the command without specifying an option, even though the search results look unchanged, the name=value pairs are overridden and are displayed as virtual fields.

You can use this command to extract name=value pairs using other delimiters. A delimiter can be any character by which you extract name=value pairs (kvdelim) and name=value pair sets (pairdelim). You can use multiple characters as delimiters for extracting name=value pairs and name=value pair sets.

If you specify an option without its value, then by default a space ( ) is assumed as the delimiter for extracting name=value pair sets and the equal-to sign (=) is assumed as the delimiter for extracting name=value pairs. You can optionally limit the number of name=value pair sets to be extracted by using the limit parameter (the default is 50).

This topic contains the following information:

For a list of all search commands, see Search-commands.

Related topics

Where to find more information

extract

Searching-the-data

Known issue for limit parameter

Syntax

extractkv [pairdelim="<Delimiters>"] [kvdelim="<Delimiters>"] [limit=<int>]

In the preceding syntax, the following definitions apply:

  • [Expression] indicates it is optional.
  • pairdelim="<Delimiters>" indicates the option for specifying the delimiters that separate name=value pair sets.
  • kvdelim="<Delimiters>" indicates the option for specifying the delimiters that separate name=value pairs.
  • limit=<int> indicates the integer value to use for limiting the number of name=value pairs and name=value pair sets.

Short examples

Example 1: Extract name=value pairs where the name=value pair delimiter and name=value pair sets delimiter are set to default.

... | extractkv 

Example 2: Extract name=value pair sets separated by pipe and semi-colon (|;), where the delimiter for pairdelim (name=value pair sets) and limit options are set to default.

... | extractkv pairdelim="|;" 

Example 3: Extract name=value pairs separated by colon (:), where the delimiter for kvdelim option (name=value pairs) is set to default.

... | extractkv kvdelim=":" 

Example 4: Extract a maximum of ten name=value pairs where the delimiter for kvdelim (name=value pairs) and the delimiter for pairdelim (name=value pair sets) are set to default.

... | extractkv limit=10 

Example 5: Extract name=value pairs separated by colon and equal-to (:=) and name=value pair sets separated by comma and semi-colon (,;).

... | extractkv pairdelim=",;" kvdelim=":="

Long examples

The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the extractkv command. 

Sample data

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006;
count=12; from startTime:1401688800000, endTime : 1401690599999

Back to examples ↑

Sample indexed data

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006;
count=12; from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

extractkv with default values

In this example, you use the command to extract:

  • name=value pairs separated by equal-to sign (=)
  • name=value pair sets separated by space ( )

Command

extractkv

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |count=12|COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

pairdelim

In this example, you use the command to extract name=value pair sets separated by semicolon (;)

Command

extractkv pairdelim=";"

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

kvdelim

In this example, you use the command to extract name=value pairs separated by colon (:)

Command

extractkv kvdelim=":"

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

pairdelim and kvdelim

In this example, you use the command to extract:

  • name=value pair sets separated by semicolon (;)
  • name=value pairs separated by colon (:)

Command

extractkv pairdelim=";" kvdelim=":"

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

kvdelim and limit

In this example, you use the command to extract a maximum of two name=value pairs separated by either colon (:) or equal-to sign (=)

Command

extractkv limit=2 kvdelim=":="

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

pairdelim and kvdelim with multiple values and limit

In this example, you use the command to extract:

  • maximum of two name=value pair sets separated by either comma (,) or semicolon (;)
  • maximum of two name=value pairs separated by either colon (:) or equal-to sign (=)

Command

extractkv pairdelim=",;" kvdelim=":=" limit=2

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

pairdelim and kvdelim with multiple values

In this example, you use the command to extract:

  • name=value pair sets separated by either comma (,) or semicolon (;)
  • name=value pairs separated by either colon (:) or equal-to sign (=)

Command

extractkv pairdelim=",;" kvdelim=":="

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|endTime=1401690599999|DATA_PATTERN=Free Text |COLLECTOR=x.txt

Back to examples ↑

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*