mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-06-28 17:34:17 -04:00
d90c6b76a2
* [docs] Prepare for docs-assembler (#125118)
* reorg files for docs-assembler and create toc.yml files
* fix build error, add redirects
* only toc
* move images
(cherry picked from commit 9bcd59596d)
# Conflicts:
# docs/reference/aggregations/search-aggregations-pipeline-bucket-script-aggregation.md
# docs/reference/aggregations/search-aggregations-pipeline-cumulative-cardinality-aggregation.md
# docs/reference/aggregations/search-aggregations-pipeline-cumulative-sum-aggregation.md
# docs/reference/aggregations/search-aggregations-pipeline-derivative-aggregation.md
# docs/reference/aggregations/search-aggregations-pipeline-extended-stats-bucket-aggregation.md
# docs/reference/aggregations/search-aggregations-pipeline-max-bucket-aggregation.md
# docs/reference/aggregations/search-aggregations-pipeline-min-bucket-aggregation.md
# docs/reference/aggregations/search-aggregations-pipeline-percentiles-bucket-aggregation.md
# docs/reference/aggregations/search-aggregations-pipeline-stats-bucket-aggregation.md
# docs/reference/aggregations/search-aggregations-pipeline-sum-bucket-aggregation.md
# docs/reference/query-languages/esql/esql-commands.md
# docs/reference/query-languages/esql/esql-lookup-join.md
# docs/reference/query-languages/esql/esql-process-data-with-dissect-grok.md
# docs/reference/query-languages/images/esql-lookup-join.png
# docs/reference/query-languages/toc.yml
# docs/reference/search-connectors/es-connectors-run-from-docker.md
# docs/reference/text-analysis/analysis-apostrophe-tokenfilter.md
# docs/reference/toc.yml
* remove markers
---------
Co-authored-by: Colleen McGinnis <colleen.mcginnis@elastic.co>
2.9 KiB
2.9 KiB
| navigation_title | mapped_pages | |
|---|---|---|
| KV |
|
KV processor [kv-processor]
This processor helps automatically parse messages (or specific event fields) which are of the foo=bar variety.
For example, if you have a log message which contains ip=1.2.3.4 error=REFUSED, you can parse those fields automatically by configuring:
{
"kv": {
"field": "message",
"field_split": " ",
"value_split": "="
}
}
::::{tip} Using the KV Processor can result in field names that you cannot control. Consider using the Flattened data type instead, which maps an entire object as a single field and allows for simple searches over its contents. ::::
$$$kv-options$
| Name | Required | Default | Description |
|---|---|---|---|
field |
yes | - | The field to be parsed. Supports template snippets. |
field_split |
yes | - | Regex pattern to use for splitting key-value pairs |
value_split |
yes | - | Regex pattern to use for splitting the key from the value within a key-value pair |
target_field |
no | null |
The field to insert the extracted keys into. Defaults to the root of the document. Supports template snippets. |
include_keys |
no | null |
List of keys to filter and insert into document. Defaults to including all keys |
exclude_keys |
no | null |
List of keys to exclude from document |
ignore_missing |
no | false |
If true and field does not exist or is null, the processor quietly exits without modifying the document |
prefix |
no | null |
Prefix to be added to extracted keys |
trim_key |
no | null |
String of characters to trim from extracted keys |
trim_value |
no | null |
String of characters to trim from extracted values |
strip_brackets |
no | false |
If true strip brackets (), <>, [] as well as quotes ' and " from extracted values |
description |
no | - | Description of the processor. Useful for describing the purpose of the processor or its configuration. |
if |
no | - | Conditionally execute the processor. See Conditionally run a processor. |
ignore_failure |
no | false |
Ignore failures for the processor. See Handling pipeline failures. |
on_failure |
no | - | Handle failures for the processor. See Handling pipeline failures. |
tag |
no | - | Identifier for the processor. Useful for debugging and metrics. |