Example
... | extract pairdelim= “|” kvdelim= “:” fields= “Name,Age,Location”Extracts values from events in this format:
Name:Jane | Age:30 | Location:LA
Extracts key value pairs from raw events.
Synopsis
...| extract [pairdelim=“<delimiters>”] [kvdelim=“<delimiters>”] [maxchars=<n>] fields=“key1,key2,key3...”Where:
pairdelim is a delimiter (or a list of delimiters) that separates one key-value pair from another key-value pair in an event. By default, semi colon, pipe, and comma (; | ,) are used. kvdelim is a delimiter (or a list of delimiters) that separates a key from its value. By default, “=". maxchars is the maximum number of characters in an event that would be scanned for extracting key value pairs. By default, 10240. fields is a key (or a list of comma-separated keys) whose values you want to display in the search results. For example, if you want to display the Name Age, and Location values from this event:
Name:Jane | Age:30 | Location:LA
extract the “Name”, “Age”, and “Location” keys and list them in the fields list.
Understanding How the Extract Operator Works
The key represents a field in the raw event and its value consists of the characters that appear after the key until the next key in the event. The following raw event is used to illustrate the concept:
[Thu Jul 30 01:20:06 2009] [error] [client 69.63.180.245] PHP Warning: memcache_pconnect() [<a href='function.memcache-pconnect'>function.memcache-pconnect</a>]: Can't connect to 10.4.31.4:11211
To extract the URL from the above event, you can define these key-pair delimiters, which separate the key-value pairs in the event:
>) Square bracket ([)
And, define this key delimiter, which separates the key from its value:
=)Thus, the following command will extract the URL:
... | extract pairdelim= “>\[” kvdelim= “=" fields=“<a href”
The key value pairs in the event will be: [<a href='function.memcache-pconnect'>
The key in the event will be: <a href
The extracted URL will be: 'function.memcache-pconnect'
Usage Notes
This operator only works on raw events. That is, you cannot extract key value pairs from CEF events or the fields defined by the rex operator.
You can specify the pairdelim and kvdelim delimiters in the extract operator command to extract keys and their values. However, if you want to determine the key names that these delimiters will generate, use the keys operator as described in keys. The keys operator can only be used to determine keys; you cannot pipe those keys in the extract operator. That is, ...| keys | extract fields=field1 is incorrect.
The keys specified in the fields list can be used further in the pipeline operations. For example, ...| extract pairdelim= “|” kvdelim= “:” fields= “count” | top count
If none of the specified pairdelim characters exists in an event, the event is not parsed into key value pairs. The whole event is skipped. Similarly, if the specified kvdelim does not exist, values are not separated from the keys.
To specify double quotes (“) as the delimiter, enter it within the pair of double quotes with backslash(\) as the escape character. For example, “=\”|”. Similarly, use two backslashes to treat a backslash character literally. For example, “\\”.
Example
... | extract pairdelim= “|” kvdelim= “:” fields= “Name,Age,Location”Extracts values from events in this format:
Name:Jane | Age:30 | Location:LA