Expressions in Name Value Pair format for structured data

Structured data in Name Value Pair format contains one or more properties, which are represented as key-value pairs.

About this task

You can extract properties from an event that is in Name Value Pair format by writing an expression that matches the property. Valid Name Value Pair expressions are in the form of a single key reference.

The following example shows an event that is in Name Value Pair format:
Company=ABC Company;Product=SystemDefender;Version=1.13;EventID=console_login;Username=jsmith;Name=John Smith;authType=interactivePassword;

Procedure

  1. To extract the Username property, type Username in the Expression field.
  2. In the Value Delimiter field, enter the key-value delimiter that is specific for your payload. In this example, the key-value delimiter is an equal sign (=).
  3. In the Delimiter field, enter the delimiter between key-value pairs that is specific for your payload. In this example, the delimiter between key-value pairs is a semicolon (;).

Results

Matches in the payload are highlighted in the event data in the Workspace of the DSM Editor.