Handling Key‐Value Logs - joeavanzato/LogBoost GitHub Wiki

LogBoost is capable of parsing Key:Value logging with arbitrary separators and delimiters - common examples include Firewall logging such as "key1=value1,key2=value2".

By default, LogBoost will check an input file for multiple formats, one of those being KV format with a delimiter of "=" and a kv separator of ",". This will auto-detect files containing log-lines resembling "k1=v1,k2=v2,k3="v 3","k4"=v4".

Let's imagine we have a file in the following format:

key1:value1|key2:value2|key3:value 3|

In this case, our kv separator is ":" and our pair delimiter is "|". We can provide these to LogBoost like below:

LogBoost.exe -separator ":" -delimiter "|" -logdir "logs"

When parsing KV-style logging, we can also use the '-fullparse' parameter to tell LogBoost to check the entirety of each file for all possible keys - if we don't use this, LogBoost will only use primary keys detected in the first-line of the file and all 'extra' keys will be stored in a single column named "EXTRA_KEYS" as a basic string.

If the provided delimiter or separator is a 'special character' in regex, it will need to be escaped with a backslash, such as below:

LogBoost.exe -separator ":" -delimiter "\|" -logdir "logs"

Failure to do so will result in a runtime-error.