key=value pairs

FilterX is an experimental feature currently under development. Feedback is most welcome on Discord and GitHub.

Available in AxoSyslog 4.8.1 and later.

The parse_kv FilterX function can split a string consisting of whitespace or comma-separated key=value pairs (for example, Postfix log messages). You can also specify other value separator characters instead of the equal sign, for example, colon (:) to parse MySQL log messages. The AxoSyslog application automatically trims any leading or trailing whitespace characters from the keys and values, and also parses values that contain unquoted whitespace.

Note If a log message contains the same key multiple times (for example, key1=value1, key2=value2, key1=value3, key3=value4, key1=value5), then AxoSyslog only stores the last (rightmost) value for the key. Using the previous example, AxoSyslog will store the following pairs: key1=value5, key2=value2, key3=value4.

Warning

By default, the parser discards sections of the input string that are not key=value pairs, even if they appear between key=value pairs that can be parsed. To store such sections, see stray_words_key.

The names of the keys can contain only the following characters: numbers (0-9), letters (a-z,A-Z), underscore (_), dot (.), hyphen (-). Other special characters are not permitted.

Declaration

Usage: parse_kv(<input-string>, value_separator="=", pair_separator=",", stray_words_key="stray_words")

The value_separator must be a single-character string. The pair_separator can be a regular string.

Example

In the following example, the source is a Postfix log message consisting of comma-separated key=value pairs:

Jun 20 12:05:12 mail.example.com <info> postfix/qmgr[35789]: EC2AC1947DA: from=<me@example.com>, size=807, nrcpt=1 (queue active)

filterx {
    ${PARSED_MESSAGE} = parse_kv(${MESSAGE});
};

You can set the value separator character (the character between the key and the value) to parse for example, key:value pairs, like MySQL logs:

Mar  7 12:39:25 myhost MysqlClient[20824]: SYSTEM_USER:'oscar', MYSQL_USER:'my_oscar', CONNECTION_ID:23, DB_SERVER:'127.0.0.1', DB:'--', QUERY:'USE test;'

filterx {
    ${PARSED_MESSAGE} = parse_kv(${MESSAGE}, value_separator=":", pair_separator=",");
};

Options of key=value parsers

Last modified December 18, 2024: Merge pull request #90 from axoflow/minor-fixes-241218 (68cd7df)