keys

Identifies keys in raw events based on the specified delimiters.

Synopsis

... | keys [pairdelim= “<delimiters>”] [kvdelim= “<delimiters>”] [limit=<n>]

Where:

pairdelim is a delimiter (or a list of delimiters) that separates one key-value pair from another key-value pair in an event. By default, semi colon, pipe, and comma (; | ,) are used.
kvdelim is a delimiter (or a list of delimiters) that separates a key from its value. By default, “=”.
limit is the maximum number of key value pairs to find. There is no default or maximum number for this parameter.

Usage Notes

This operator only works on raw events. That is, you cannot identify key value pairs from CEF events or fields defined by the rex operator.

Although this operator is not required to determine keys, it is recommended that you use it to first determine the keys whose values you want to obtain using the extract operator. This operator returns aggregated results. Therefore, the search results list the keys found in the matching events and their counts.

The keys operator can only be used to determine keys; you cannot pipe those keys in the extract operator. That is, | keys | extract fields=field1 is incorrect.

If a key value is blank (or null), it is ignored and not counted toward the number of hits.

For example, for the following event data:

Date=3/24/2011 | Drink=Lemonade
Date=3/23/2011 | Drink=
Date=3/22/2011 | Drink=Coffee

Search Query: keys pairdelim= “|” kvdelim= “=”

Search Result: Date, 3 hits and Drink, 2 hits

If none of the specified pairdelim characters exists in an event, the event is not parsed into key value pairs. The whole event is skipped. Similarly, if the specified kvdelim does not exist, values are not separated from the keys.

To specify double quotes (“) as the delimiter, enter it within the pair of double quotes with backslash(\) as the escape character. For example, “=\”|”. Similarly, use two backslashes to treat a backslash character literally. For example, “\\”.