Docs.bmc.com will undergo a brief maintenance outage 27 March 2025. The site will be unavailable for ten minutes starting at 6:30 AM CDT/5 PM IST.

extractkv search command

This search command extracts name=value pairs from raw event data depending on the delimiters specified. By default, name=value pairs are automatically extracted by the product, assuming the equals sign (=) as the separator. But when you run this command, name=value pairs are extracted depending on the options specified (kvdelim and pairdelim). Specifying these options is optional.

Note

If you run the command without specifying an option, even though the search results look unchanged, the name=value pairs are overridden and are displayed as virtual fields.

You can use this command to extract name=value pairs using other delimiters. A delimiter can be any character by which you extract name=value pairs (kvdelim) and name=value pair sets (pairdelim). You can use multiple characters as delimiters for extracting name=value pairs and name=value pair sets.

If you specify an option without its value, then by default a space ( ) is assumed as the delimiter for extracting name=value pair sets and the equals sign (=) is assumed as the delimiter for extracting name=value pairs. You can optionally limit the number of name=value pair sets to be extracted by using the limit parameter (the default is 50).

This topic contains the following information:

For a list of all search commands, see Search-commands.

Related topics

extract-search-command

Getting-started-with-search

Known issue for limit parameter

Syntax

extractkv [pairdelim="<Delimiters>"] [kvdelim="<Delimiters>"] [limit=<int>]

In the preceding syntax, the following definitions apply:

  • [Expression] indicates it is optional.
  • pairdelim="<Delimiters>" indicates the option for specifying the delimiters that separate name=value pair sets.
  • kvdelim="<Delimiters>" indicates the option for specifying the delimiters that separate name=value pairs.
  • limit=<int> indicates the integer value to use for limiting the number of name=value pairs and name=value pair sets.

Short examples

Example 1: Extract name=value pairs where the name=value pair delimiter and name=value pair sets delimiter are set to default.

... | extractkv 

Example 2: Extract name=value pair sets separated by pipe and semi-colon (|;), where the delimiter for pairdelim (name=value pair sets) and limit options are set to default.

... | extractkv pairdelim="|;" 

Example 3: Extract name=value pairs separated by colon (:), where the delimiter for kvdelim option (name=value pairs) is set to default.

... | extractkv kvdelim=":" 

Example 4: Extract a maximum of ten name=value pairs where the delimiter for kvdelim (name=value pairs) and the delimiter for pairdelim (name=value pair sets) are set to default.

... | extractkv limit=10 

Example 5: Extract name=value pairs separated by colon and equals sign (:=) and name=value pair sets separated by comma and semi-colon (,;).

... | extractkv pairdelim=",;" kvdelim=":="

Long examples

The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the extractkv command. 

Sample data

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006;
count=12; from startTime:1401688800000, endTime : 1401690599999

Back to examples ↑

Sample indexed data

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006;
count=12; from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |
DATA_PATTERN=Free Text without Timestamp | COLLECTOR=x.txt

Back to examples ↑

extractkv with default values

In this example, you use the command to extract:

  • name=value pairs separated by equals sign (=)
  • name=value pair sets separated by space ( )

Command

extractkv

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |count=12|COLLECTOR_NAME=log_data |searchId=1401867925702 |
DATA_PATTERN=Free Text without Timestamp | COLLECTOR=x.txt

Back to examples ↑

pairdelim

In this example, you use the command to extract name=value pair sets separated by semicolon (;)

Command

extractkv pairdelim=";"

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |count=12|COLLECTOR_NAME=log_data |searchId=1401867925702| DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

Back to examples ↑

kvdelim

In this example, you use the command to extract name=value pairs separated by colon (:)

Command

extractkv kvdelim=":"

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

Back to examples ↑

pairdelim and kvdelim

In this example, you use the command to extract:

  • name=value pair sets separated by semicolon (;)
  • name=value pairs separated by colon (:)

Command

extractkv pairdelim=";" kvdelim=":"

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12 |COLLECTOR_NAME=log_data |searchId=1401867925702 |DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

Back to examples ↑

kvdelim and limit

In this example, you use the command to extract a maximum of two name=value pairs separated by either colon (:) or equals sign (=)

Command

extractkv limit=2 kvdelim=":="

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |index=bw-2014-06-02-06-006;|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

Back to examples ↑

pairdelim and kvdelim with multiple values and limit

In this example, you use the command to extract:

  • maximum of two name=value pair sets separated by either comma (,) or semicolon (;)
  • maximum of two name=value pairs separated by either colon (:) or equals sign (=)

Command

extractkv pairdelim=",;" kvdelim=":=" limit=2

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12;
from startTime:1401688800000, endTime : 1401690599999

HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

Back to examples ↑

pairdelim and kvdelim with multiple values

In this example, you use the command to extract:

  • name=value pair sets separated by either comma (,) or semicolon (;)
  • name=value pairs separated by either colon (:) or equals sign (=)

Command

extractkv pairdelim=",;" kvdelim=":="

Output

ChartData found for searchId = 1401867925702, index:bw-2014-06-02-06-006; count=12
from startTime:1401688800000, endTime : 1401690599999

startTime=1401688800000|HOST=my-server.bmc.com |index=bw-2014-06-02-06-006|count=12|COLLECTOR_NAME=log_data |searchId=1401867925702|endTime=1401690599999|DATA_PATTERN=Free Text without Timestamp |COLLECTOR=x.txt

Back to examples ↑