Docs
Powered by

parse-keyvals

Parse key=value pairs from event.payload (raw bytes from a source plugin) or event.message. payload takes priority when both are present.

Recognized keys are promoted to top-level fields:

Parsed key Output field Notes
msg or message message msg takes priority
level severity Normalized to a numeric syslog severity (0–7)

All other keys are collected into event.labels. The source field (payload or message) is removed from the output.

Severity mapping

Input severity
emerg, omg 0
alert, alrt 1
critical, crit, crt 2
error, err, e 3
warning, warn, wrn, w 4
notice 5
info, inf, i, normal 6
anything else 7

Config

Optional:

  • delim (string, single character): Key/value delimiter (default: =)

Behaviour notes

  • Quoted values (single or double) are supported: msg="hello world"
  • Escaped double quotes inside double-quoted values are supported: msg="say \"hi\""
  • Whitespace around the delimiter is allowed: level = warn
  • Parsed msg or message will overwrite any existing top-level message field
  • Parsed level will overwrite any existing severity field

Example

pipeline:
  parse-lines:
  parse-keyvals:

Input event (from parse-lines):

{ "message": "level=warn msg=\"disk full\" host=web01" }

Output event:

{ "severity": 4, "message": "disk full", "labels": { "host": "web01" } }

© Copyright 2026. All rights reserved.