mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-25 23:57:20 -04:00
284f81873f
* Add 'Process data with DISSECT and GROK' page * Expand DISSECT docs * More DISSECT and GROK enhancements * Improve examples * Fix CSV tests * Review feedback * Reword
59 lines
No EOL
1.5 KiB
Text
59 lines
No EOL
1.5 KiB
Text
[discrete]
|
|
[[esql-dissect]]
|
|
=== `DISSECT`
|
|
|
|
**Syntax**
|
|
|
|
[source,txt]
|
|
----
|
|
DISSECT input "pattern" [ append_separator="<separator>"]
|
|
----
|
|
|
|
*Parameters*
|
|
|
|
`input`::
|
|
The column that contains the string you want to structure. If the column has
|
|
multiple values, `DISSECT` will process each value.
|
|
|
|
`pattern`::
|
|
A dissect pattern.
|
|
|
|
`append_separator="<separator>"`::
|
|
A string used as the separator between appended values, when using the <<esql-append-modifier,append modifier>>.
|
|
|
|
*Description*
|
|
|
|
`DISSECT` enables you to <<esql-process-data-with-dissect-and-grok,extract
|
|
structured data out of a string>>. `DISSECT` matches the string against a
|
|
delimiter-based pattern, and extracts the specified keys as columns.
|
|
|
|
Refer to <<esql-process-data-with-dissect>> for the syntax of dissect patterns.
|
|
|
|
*Example*
|
|
|
|
// tag::examples[]
|
|
The following example parses a string that contains a timestamp, some text, and
|
|
an IP address:
|
|
|
|
[source.merge.styled,esql]
|
|
----
|
|
include::{esql-specs}/docs.csv-spec[tag=basicDissect]
|
|
----
|
|
[%header.monospaced.styled,format=dsv,separator=|]
|
|
|===
|
|
include::{esql-specs}/docs.csv-spec[tag=basicDissect-result]
|
|
|===
|
|
|
|
By default, `DISSECT` outputs keyword string columns. To convert to another
|
|
type, use <<esql-type-conversion-functions>>:
|
|
|
|
[source.merge.styled,esql]
|
|
----
|
|
include::{esql-specs}/docs.csv-spec[tag=dissectWithToDatetime]
|
|
----
|
|
[%header.monospaced.styled,format=dsv,separator=|]
|
|
|===
|
|
include::{esql-specs}/docs.csv-spec[tag=dissectWithToDatetime-result]
|
|
|===
|
|
|
|
// end::examples[] |