Key-value
In cybersecurity and IT operations, key-value format refers to a structured way of representing data where each piece of information is expressed as a key (or field name) paired with its corresponding value. This format is commonly used in security events generated by firewalls, intrusion detection systems, antivirus, and other IT data sources.
Structure of Key-Value Format
Each key identifies what the data represents (e.g., src_ip, action, timestamp), and the value provides the actual data. The key and value are typically separated by a character like =, : or =>, and multiple key-value pairs are separated by spaces, commas, or new lines.
Example of a key / value event:
timestamp=2025-03-26T14:35:00Z src_ip=192.168.1.10 dst_ip=10.0.0.5
action=blocked protocol=TCP port=443The key / value extractor can be configured with next parameters:
KV field
Event field that contains de key / value string. By default this is the message field
Split character
Parses the key and value based on a specified delimiter.
Most used split characters are = and : By default this is the = character
Wrapper Character
Used to enclose values to handle cases where the content includes spaces, special characters, or delimiters that might otherwise interfere with parsing.
Most used Wrapper Characters are double quotes (") and single quotes (') By default this is the " character
Field Separator Pattern
Refers to the specific character or sequence of characters used to delineate one key-value pair from another in a dataset. This pattern helps the parser identify where one pair ends and the next begins, enabling it to process the input correctly.
Most used field separator is the space character (\s) By default this is the \s (space) character
Last updated