Skip to main content
Use the pair function to create a dynamic object representing a key-value pair from separate key and value components. This function is useful for constructing structured pair objects that you can use with functions like find_pair to search arrays of pairs. Use pair when you need to programmatically build key-value pair objects for filtering or matching against pair arrays in your logs. The function returns a dynamic object with key, value, and separator properties.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically work with key-value pairs as strings. APL’s pair function creates a structured object instead, which you can use for pattern matching with find_pair.
| eval tag = host . ":" . value
In ANSI SQL, you use CONCAT to build key-value strings or JSON functions to create objects. APL’s pair function creates a structured dynamic object directly.
SELECT JSON_OBJECT('key', key_col, 'value', value_col) AS tag FROM logs

Usage

Syntax

pair(key, value, [separator])

Parameters

NameTypeRequiredDescription
keystringRequiredThe key component of the pair.
valuestringRequiredThe value component of the pair.
separatorstringOptionalThe separator to store in the pair object. Defaults to :.

Returns

A dynamic object with the following properties:
  • key: The key component of the pair.
  • value: The value component of the pair.
  • separator: The separator used in the pair.

Example

Create pair objects to represent request metadata. Query 
['sample-http-logs']
| extend method_pair = pair('method', method)
| project _time, uri, method_pair
Run in Playground Output
_timeurimethod_pair
2025-01-29 10:48:08/api/v1/textdata/change{"key": "method", "separator": ":", "value": "GET"}
2025-01-29 10:48:07/api/v1/sell/bucket{"key": "method", "separator": ":", "value": "PUT"}
2025-01-29 10:48:06/api/v1/user/notify{"key": "method", "separator": ":", "value": "POST"}
This query creates pair objects from request fields, storing both the key name and value in a structured format.
  • parse_pair: Parses a pair string into a dynamic object with key and value properties. Use pair to create pair objects directly from components.
  • find_pair: Searches an array of pairs for a matching key-value pattern. Use pair to construct pair objects for comparison.
  • bag_pack: Creates a dynamic property bag from key-value pairs. Use pair when you specifically need the pair object structure with separator.