Skip to main content

NVP (name-value pair) Parser

Parses name-value pairs. See Supported reader-parser combinations for compatible readers.

NVP Parser properties

property

type

default value

notes

Block as Complete Record

Boolean

False

Charset

String

UTF-8

Pair Delimiter

String

default value is one space (UTF-8 0x20)

Quote Set

String

"

Row Delimiter

String

\n

Trim Quote

Boolean

True

Value Delimiter

String

=

The output type of a source using NVPParser is WAEvent.

NVP Parser example

Output from a source using this parser can be selected using VALUE(x,"<name>"). For example, if given the following input event:

2014-08-22T11:51:52.920281+03:00 10.184.2.46 date=2014-08-22 time=11:51:52 
devname=fw000a08 devid=FGT118 logid=0000000015 type=traffic subtype=forward level=notice 
vd=fbb-dmz srcip=10.46.227.81 srcport=29200 srcintf="Int-Channel1" dstip=195.39.224.106 
dstport=443 dstintf="Mango" sessionid=102719642 status=start policyid=265 
dstcountry="Japan" srccountry="Japan" trandisp=dnat tranip=10.1.1.1 tranport=443 
service=HTTPS proto=6 duration=0 sentbyte=0 rcvdbyte=0

the following code:

CREATE SOURCE NVPSource USING FileReader (
  directory:'Samples',
  WildCard:'NVPTestData.txt',
  positionByEOF:false)
PARSE USING NVPParser ()
OUTPUT TO NvpStream;

CREATE TYPE nvptype (
  ipaddress String,
  deviceName String,
  status String,
  policyid int);
CREATE STREAM nvptypedstream OF nvptype;

CREATE CQ typeconversion
  INSERT INTO nvptypedstream
  SELECT VALUE(x,"column1"), VALUE(x,"devid"),VALUE(x,"status"),TO_INT(VALUE(x,"policyid")) 
  FROM nvpStream x;

CREATE TARGET t USING SysOut(name:NVPtest) INPUT FROM NvptypedStream;

will produce the following output:

NVPtest: nvptype_1_0{
  ipaddress: "10.184.2.46"
  deviceName: "FGT118"
  status: "start"
  policyid: 265
}; 

Note that fields 0 and 1 in the input event are a timestamp and an IP address rather than key-value pairs. The IP address is selected using value(x,"column1"). This syntax can be used only for fields at the beginning of the event, before the first key-value pair.