KV processor
editKV processor
editThis processor helps automatically parse messages (or specific event fields) which are of the foo=bar variety.
For example, if you have a log message which contains ip=1.2.3.4 error=REFUSED, you can parse those fields automatically by configuring:
{
"kv": {
"field": "message",
"field_split": " ",
"value_split": "="
}
}
Using the KV Processor can result in field names that you cannot control. Consider using the Flattened data type instead, which maps an entire object as a single field and allows for simple searches over its contents.
Table 30. KV Options
| Name | Required | Default | Description |
|---|---|---|---|
|
yes |
- |
The field to be parsed. Supports template snippets. |
|
yes |
- |
Regex pattern to use for splitting key-value pairs |
|
yes |
- |
Regex pattern to use for splitting the key from the value within a key-value pair |
|
no |
|
The field to insert the extracted keys into. Defaults to the root of the document. Supports template snippets. |
|
no |
|
List of keys to filter and insert into document. Defaults to including all keys |
|
no |
|
List of keys to exclude from document |
|
no |
|
If |
|
no |
|
Prefix to be added to extracted keys |
|
no |
|
String of characters to trim from extracted keys |
|
no |
|
String of characters to trim from extracted values |
|
no |
|
If |
|
no |
- |
Description of the processor. Useful for describing the purpose of the processor or its configuration. |
|
no |
- |
Conditionally execute the processor. See Conditionally run a processor. |
|
no |
|
Ignore failures for the processor. See Handling pipeline failures. |
|
no |
- |
Handle failures for the processor. See Handling pipeline failures. |
|
no |
- |
Identifier for the processor. Useful for debugging and metrics. |