NVP (name-value pair) Parser
Parses name-value pairs. See Supported reader-parser combinations for compatible readers.
NVP Parser properties
property | type | default value | notes |
---|---|---|---|
Block as Complete Record | Boolean | False | |
Charset | String | UTF-8 | |
Pair Delimiter | String | default value is one space (UTF-8 0x20) | |
Quote Set | String | " | |
Row Delimiter | String | \n | |
Trim Quote | Boolean | True | |
Value Delimiter | String | = |
The output type of a source using NVPParser is WAEvent.
NVP Parser example
Output from a source using this parser can be selected using VALUE(x,"<name>")
. For example, if given the following input event:
2014-08-22T11:51:52.920281+03:00 10.184.2.46 date=2014-08-22 time=11:51:52 devname=fw000a08 devid=FGT118 logid=0000000015 type=traffic subtype=forward level=notice vd=fbb-dmz srcip=10.46.227.81 srcport=29200 srcintf="Int-Channel1" dstip=195.39.224.106 dstport=443 dstintf="Mango" sessionid=102719642 status=start policyid=265 dstcountry="Japan" srccountry="Japan" trandisp=dnat tranip=10.1.1.1 tranport=443 service=HTTPS proto=6 duration=0 sentbyte=0 rcvdbyte=0
the following code:
CREATE SOURCE NVPSource USING FileReader ( directory:'Samples', WildCard:'NVPTestData.txt', positionByEOF:false) PARSE USING NVPParser () OUTPUT TO NvpStream; CREATE TYPE nvptype ( ipaddress String, deviceName String, status String, policyid int); CREATE STREAM nvptypedstream OF nvptype; CREATE CQ typeconversion INSERT INTO nvptypedstream SELECT VALUE(x,"column1"), VALUE(x,"devid"),VALUE(x,"status"),TO_INT(VALUE(x,"policyid")) FROM nvpStream x; CREATE TARGET t USING SysOut(name:NVPtest) INPUT FROM NvptypedStream;
will produce the following output:
NVPtest: nvptype_1_0{ ipaddress: "10.184.2.46" deviceName: "FGT118" status: "start" policyid: 265 };
Note that fields 0 and 1 in the input event are a timestamp and an IP address rather than key-value pairs. The IP address is selected using value(x,"column1")
. This syntax can be used only for fields at the beginning of the event, before the first key-value pair.