KV processor

The kv processor parses key-value pairs from log lines and adds the parsed fields to the event's rawLog. Use it for log formats that use key=value pairs, common in Linux system logs and application logs.

Configuration

{
  "sources": {
    "parsed-logs": {
      "type": "kv",
      "source": {
        "type": "file",
        "path": "/var/log/app/",
        "extension": ".log"
      },
      "rules": [
        {
          "match": [
            { "path": "rawLog", "value": "*" }
          ],
          "kvSep": "="
        }
      ]
    }
  }
}

Options

Option	Type	Description
`source`	object	Required. Nested source configuration
`rules`	array	Required. List of parsing rules

Rule structure

Field	Type	Description
`match[].path`	string	JSONPath to the field to match
`match[].value`	string	Value to match
`kvSep`	string	Key-value separator character (e.g. `"="`)

Example: Parse syslog-style key-value logs

Given log lines like:

user=admin action=login status=success ip=192.168.1.100

Configure:

{
  "sources": {
    "auth-logs": {
      "type": "kv",
      "source": {
        "type": "file",
        "path": "/var/log/auth/",
        "extension": ".log"
      },
      "rules": [
        {
          "match": [
            { "path": "rawLog", "value": "*" }
          ],
          "kvSep": "="
        }
      ]
    }
  }
}

The parsed event's rawLog will contain the extracted fields: {"user": "admin", "action": "login", "status": "success", "ip": "192.168.1.100"}.

KV processor

Configuration

Options

Rule structure

Example: Parse syslog-style key-value logs

On this page