Skip to main content
Use the parse_pair function to parse a string containing a key-value pair into its constituent key and value components. This function is useful when you need to extract structured data from strings that follow a key-value format, such as tags, labels, or configuration entries. Use parse_pair when you have strings like host:server1 or env=production and need to access the key or value individually for filtering, grouping, or analysis.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically use rex or split commands to extract key-value components from strings. APL’s parse_pair provides a dedicated function for this common operation.
| rex field=tag "(?<key>[^:]+):(?<value>.*)"
In ANSI SQL, you use SUBSTRING with POSITION or SPLIT_PART to extract key-value components. APL’s parse_pair simplifies this with a dedicated function.
SELECT 
  SPLIT_PART(tag, ':', 1) AS key,
  SPLIT_PART(tag, ':', 2) AS value
FROM logs

Usage

Syntax

parse_pair(pair_string, [separator])

Parameters

NameTypeRequiredDescription
pair_stringstringRequiredThe string containing the key-value pair to parse.
separatorstringOptionalThe separator between the key and value. Defaults to :.

Returns

A dynamic object with the following properties:
  • key: The extracted key portion of the pair.
  • value: The extracted value portion of the pair.
  • separator: The separator used in the pair.
If the separator is not found in the input string, the function returns a pair with the entire input as the value and an empty key.

Example

Extract and analyze tag components from HTTP request metadata. Query 
['sample-http-logs']
| extend tag_string = strcat('method:', method)
| extend parsed = parse_pair(tag_string)
| project _time, uri, tag_string, parsed
Run in Playground Output
_timeuritag_stringparsed
2025-01-29 08:15:30/api/usermethod:GET{"key": "method", "separator": ":", "value": "GET"}
2025-01-29 08:16:45/api/datamethod:POST{"key": "method", "separator": ":", "value": "POST"}
2025-01-29 08:17:20/api/loginmethod:POST{"key": "method", "separator": ":", "value": "POST"}
This query constructs tag strings and then parses them to extract individual key and value components for analysis.
  • pair: Creates a pair string from key and value components. Use parse_pair to decompose existing pairs.
  • find_pair: Searches an array of pairs for a matching pattern. Use parse_pair when you need to extract components from a single pair string.
  • split: Splits a string by a delimiter into an array. Use parse_pair when you specifically need key-value extraction with structured output.
  • extract: Extracts substrings using regex. Use parse_pair for simpler key-value parsing without regex.