Key-Value
Synopsis
Parses key=value formatted messages into structured fields.
Schema
- key_value:
field: <ident>
target_field: <string>
field_split: <string>
value_split: <string>
include_keys: <array>
exclude_keys: <array>
prefix: <string>
trim_key: <string>
trim_value: <string>
description: <text>
if: <script>
ignore_failure: <boolean>
ignore_missing: <boolean>
on_failure: <processor[]>
on_success: <processor[]>
tag: <string>
Configuration
The following fields are used to define the processor:
| Field | Required | Default | Description |
|---|---|---|---|
field | Y | - | Source field containing key=value formatted data |
target_field | N | Root level | Target field to store parsed key-value pairs |
field_split | N | \s+ | Regex pattern to split fields (space by default) |
value_split | N | = | Character(s) to split key from value |
include_keys | N | - | Array of keys to include (whitelist) |
exclude_keys | N | - | Array of keys to exclude (blacklist) |
prefix | N | - | Prefix to add to all extracted field names |
trim_key | N | "' | Characters to trim from keys |
trim_value | N | "' | Characters to trim from values |
description | N | - | Explanatory note |
if | N | - | Condition to run |
ignore_failure | N | false | Continue processing if parsing fails |
ignore_missing | N | false | Skip processing if referenced field doesn't exist |
on_failure | N | - | See Handling Failures |
on_success | N | - | See Handling Success |
tag | N | - | Identifier |
Details
Parses structured data from key=value formatted strings commonly found in log messages, configuration data, and query parameters. The processor supports flexible field and value separators and can filter keys using include/exclude lists.
The processor automatically handles quoted values and provides options for trimming unwanted characters from keys and values.
The processor supports various key=value formats including space-separated ("key1=value1 key2=value2"), comma-separated, and custom delimited formats. The field_split parameter accepts regex patterns for complex splitting requirements.
When both include_keys and exclude_keys are specified, the include list takes precedence, and only explicitly included keys are processed.
If the source field contains malformed key=value pairs or uses unexpected separators, some pairs may be skipped. Use ignore_failure to continue processing even when parsing encounters errors.
Examples
Basic Key-Value Parsing
Parsing space-separated key=value pairs... | |
extracts fields to root level: | |
With Target Field
Storing parsed data in specific field... | |
creates nested structure: | |
Custom Separators
Using comma separation and colon assignment... | |
handles custom delimiters: | |
Key Filtering
Including only specific keys... | |
extracts only specified keys: | |
Quoted Values
Handling quoted values with spaces... | |
removes quotes from values: | |