mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-26 16:17:19 -04:00
1256a49c3a
This copies the first line of the description of each command to just under the syntax so that it's "in order", before the `Parameters` section. That way if you are reading from top to bottom you see: ``` syntax short description parameter names and descriptions long description examples ``` I've also removed the `Description` section entirely if the description was just one sentence. So in some cases that just isn't `long description`.
70 lines
1.7 KiB
Text
70 lines
1.7 KiB
Text
[discrete]
|
|
[[esql-grok]]
|
|
=== `GROK`
|
|
|
|
`GROK` enables you to <<esql-process-data-with-dissect-and-grok,extract
|
|
structured data out of a string>>.
|
|
|
|
**Syntax**
|
|
|
|
[source,esql]
|
|
----
|
|
GROK input "pattern"
|
|
----
|
|
|
|
*Parameters*
|
|
|
|
`input`::
|
|
The column that contains the string you want to structure. If the column has
|
|
multiple values, `GROK` will process each value.
|
|
|
|
`pattern`::
|
|
A grok pattern.
|
|
|
|
*Description*
|
|
|
|
`GROK` enables you to <<esql-process-data-with-dissect-and-grok,extract
|
|
structured data out of a string>>. `GROK` matches the string against patterns,
|
|
based on regular expressions, and extracts the specified patterns as columns.
|
|
|
|
Refer to <<esql-process-data-with-grok>> for the syntax of grok patterns.
|
|
|
|
*Examples*
|
|
|
|
// tag::examples[]
|
|
The following example parses a string that contains a timestamp, an IP address,
|
|
an email address, and a number:
|
|
|
|
[source.merge.styled,esql]
|
|
----
|
|
include::{esql-specs}/docs.csv-spec[tag=basicGrok]
|
|
----
|
|
[%header.monospaced.styled,format=dsv,separator=|]
|
|
|===
|
|
include::{esql-specs}/docs.csv-spec[tag=basicGrok-result]
|
|
|===
|
|
|
|
By default, `GROK` outputs keyword string columns. `int` and `float` types can
|
|
be converted by appending `:type` to the semantics in the pattern. For example
|
|
`{NUMBER:num:int}`:
|
|
|
|
[source.merge.styled,esql]
|
|
----
|
|
include::{esql-specs}/docs.csv-spec[tag=grokWithConversionSuffix]
|
|
----
|
|
[%header.monospaced.styled,format=dsv,separator=|]
|
|
|===
|
|
include::{esql-specs}/docs.csv-spec[tag=grokWithConversionSuffix-result]
|
|
|===
|
|
|
|
For other type conversions, use <<esql-type-conversion-functions>>:
|
|
|
|
[source.merge.styled,esql]
|
|
----
|
|
include::{esql-specs}/docs.csv-spec[tag=grokWithToDatetime]
|
|
----
|
|
[%header.monospaced.styled,format=dsv,separator=|]
|
|
|===
|
|
include::{esql-specs}/docs.csv-spec[tag=grokWithToDatetime-result]
|
|
|===
|
|
// end::examples[]
|