> For the complete documentation index, see [llms.txt](https://docs.invisiblebits.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.invisiblebits.com/transformation-pipelines/transformations/extractors/key-value.md).

# Key-value

In cybersecurity and IT operations, **key-value format** refers to a structured way of representing data where each piece of information is expressed as a **key** (or field name) paired with its corresponding **value**. This format is commonly used in **security events** generated by firewalls, intrusion detection systems, antivirus, and other IT data sources.

***

#### **Structure of Key-Value Format**

Each **key** identifies what the data represents (e.g., `src_ip`, `action`, `timestamp`), and the **value** provides the actual data. The key and value are typically separated by a character like `=`, `:` or `=>`, and multiple key-value pairs are separated by spaces, commas, or new lines.

**Example of a key / value event:**

```
timestamp=2025-03-26T14:35:00Z src_ip=192.168.1.10 dst_ip=10.0.0.5 
action=blocked protocol=TCP port=443
```

***

The key / value extractor can be configured with next parameters:

<table><thead><tr><th width="207.36328125">Parameter</th><th>Description</th></tr></thead><tbody><tr><td>KV field</td><td>Event field that contains de key / value string. By default this is the <strong>message</strong> field</td></tr><tr><td>Split character</td><td><p>Parses the key and value based on a specified delimiter.</p><p>Most used split characters are = and :<br>By default this is the = character</p></td></tr><tr><td>Wrapper Character</td><td><p>Used to enclose values to handle cases where the content includes spaces, special characters, or delimiters that might otherwise interfere with parsing.</p><p>Most used Wrapper Characters are double quotes (") and single quotes (')<br>By default this is the " character</p></td></tr><tr><td>Field Separator Pattern</td><td><p>Refers to the specific character or sequence of characters used to delineate one key-value pair from another in a dataset. This pattern helps the parser identify where one pair ends and the next begins, enabling it to process the input correctly.</p><p>Most used field separator is the space character (\s)<br>By default this is the \s (space) character</p></td></tr></tbody></table>

<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.invisiblebits.com/transformation-pipelines/transformations/extractors/key-value.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.