This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

key=value pairs

FilterX is an experimental feature currently under development. Feedback is most welcome on Discord and GitHub.

Available in AxoSyslog 4.8.1 and later.

The parse_kv FilterX function can split a string consisting of whitespace or comma-separated key=value pairs (for example, Postfix log messages). You can also specify other value separator characters instead of the equal sign, for example, colon (:) to parse MySQL log messages. The AxoSyslog application automatically trims any leading or trailing whitespace characters from the keys and values, and also parses values that contain unquoted whitespace.

Declaration

Usage: parse_kv(<input-string>, value_separator="=", pair_separator=",", stray_words_key="stray_words")

The value_separator must be a single-character string. The pair_separator can be a regular string.

Example

In the following example, the source is a Postfix log message consisting of comma-separated key=value pairs:

Jun 20 12:05:12 mail.example.com <info> postfix/qmgr[35789]: EC2AC1947DA: from=<[email protected]>, size=807, nrcpt=1 (queue active)
filterx {
    ${PARSED_MESSAGE} = parse_kv(${MESSAGE});
};

You can set the value separator character (the character between the key and the value) to parse for example, key:value pairs, like MySQL logs:

Mar  7 12:39:25 myhost MysqlClient[20824]: SYSTEM_USER:'oscar', MYSQL_USER:'my_oscar', CONNECTION_ID:23, DB_SERVER:'127.0.0.1', DB:'--', QUERY:'USE test;'
filterx {
    ${PARSED_MESSAGE} = parse_kv(${MESSAGE}, value_separator=":", pair_separator=",");
};

1 - Options of key=value parsers

The parse_kv FilterX function has the following options.

pair_separator

Specifies the character or string that separates the key-value pairs from each other. Default value: , .

For example, to parse key1=value1;key2=value2 pairs, use:

${MESSAGE} = parse_kv("key1=value1;key2=value2", pair_separator=";");

stray_words_key

Specifies the key where AxoSyslog stores any stray words that appear before or between the parsed key-value pairs. If multiple stray words appear in a message, then AxoSyslog stores them as a comma-separated list. Default value:N/A

For example, consider the following message:

VSYS=public; Slot=5/1; protocol=17; source-ip=10.116.214.221; source-port=50989; destination-ip=172.16.236.16; destination-port=162;time=2016/02/18 16:00:07; interzone-emtn_s1_vpn-enodeb_om; inbound; policy=370;

This is a list of key-value pairs, where the value separator is = and the pair separator is ;. However, before the last key-value pair (policy=370), there are two stray words: interzone-emtn_s1_vpn-enodeb_om; and inbound;. If you want to store or process these, specify a key to store them, for example:

${MESSAGE} = "VSYS=public; Slot=5/1; protocol=17; source-ip=10.116.214.221; source-port=50989; destination-ip=172.16.236.16; destination-port=162;time=2016/02/18 16:00:07; interzone-emtn_s1_vpn-enodeb_om; inbound; policy=370;";
${PARSED_MESSAGE} = parse_kv(${MESSAGE}, stray_words_key="stray_words");

The value of ${PARSED_MESSAGE}.stray_words for this message will be: ["interzone-emtn_s1_vpn-enodeb_om", "inbound"]

value_separator

Specifies the character that separates the keys from the values. Default value: =.

For example, to parse key:value pairs, use:

${MESSAGE} = parse_kv("key1:value1,key2:value2", value_separator=":");