mirrors
/
elasticsearch
mirror of https://mirror.osredm.com/root/elasticsearch.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update dissect-processor.md (#128708)

This commit is contained in:
George Wallace 2025-06-02 00:49:45 -06:00 committed by GitHub
parent c14037985d
commit 4eca31756f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/reference/enrich-processor/dissect-processor.md
View File

@ -46,7 +46,7 @@ and result in a document with the following fields:
A dissect pattern is defined by the parts of the string that will be discarded. In the previous example, the first part to be discarded is a single space. Dissect finds this space, then assigns the value of `clientip` everything up until that space. Next, dissect matches the `[` and then `]` and then assigns `@timestamp` to everything in-between `[` and `]`. Paying special attention to the parts of the string to discard will help build successful dissect patterns.
Successful matches require all keys in a pattern to have a value. If any of the `%{{keyname}}` defined in the pattern do not have a value, then an exception is thrown and may be handled by the [`on_failure`](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md#handling-pipeline-failures) directive. An empty key `%{}` or a [named skip key](#dissect-modifier-named-skip-key) can be used to match values, but exclude the value from the final document. All matched values are represented as string data types. The [convert processor](/reference/enrich-processor/convert-processor.md) may be used to convert to expected data type.
Successful matches require all keys in a pattern to have a value. If any of the `%{keyname}` defined in the pattern do not have a value, then an exception is thrown and may be handled by the [`on_failure`](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md#handling-pipeline-failures) directive. An empty key `%{}` or a [named skip key](#dissect-modifier-named-skip-key) can be used to match values, but exclude the value from the final document. All matched values are represented as string data types. The [convert processor](/reference/enrich-processor/convert-processor.md) may be used to convert to expected data type.
Dissect also supports [key modifiers](#dissect-key-modifiers) that can change dissects default behavior. For example you can instruct dissect to ignore certain fields, append fields, skip over padding, etc. See [below](#dissect-key-modifiers) for more information.
@ -75,7 +75,7 @@ $$$dissect-options$$$
## Dissect key modifiers [dissect-key-modifiers]
Key modifiers can change the default behavior for dissection. Key modifiers may be found on the left or right of the `%{{keyname}}` always inside the `%{` and `}`. For example `%{+keyname ->}` has the append and right padding modifiers.
Key modifiers can change the default behavior for dissection. Key modifiers may be found on the left or right of the `%{keyname}` always inside the `%{` and `}`. For example `%{+keyname ->}` has the append and right padding modifiers.
$$$dissect-key-modifiers-table$$$
@ -89,9 +89,9 @@ $$$dissect-key-modifiers-table$$$
### Right padding modifier (`->`) [dissect-modifier-skip-right-padding]
The algorithm that performs the dissection is very strict in that it requires all characters in the pattern to match the source string. For example, the pattern `%{{fookey}} %{{barkey}}` (1 space), will match the string "foo bar" (1 space), but will not match the string "foo bar" (2 spaces) since the pattern has only 1 space and the source string has 2 spaces.
The algorithm that performs the dissection is very strict in that it requires all characters in the pattern to match the source string. For example, the pattern `%{fookey} %{barkey}` (1 space), will match the string "foo bar" (1 space), but will not match the string "foo bar" (2 spaces) since the pattern has only 1 space and the source string has 2 spaces.
The right padding modifier helps with this case. Adding the right padding modifier to the pattern `%{fookey->} %{{barkey}}`, It will now will match "foo bar" (1 space) and "foo bar" (2 spaces) and even "foo bar" (10 spaces).
The right padding modifier helps with this case. Adding the right padding modifier to the pattern `%{fookey->} %{barkey}`, It will now will match "foo bar" (1 space) and "foo bar" (2 spaces) and even "foo bar" (10 spaces).
Use the right padding modifier to allow for repetition of the characters after a `%{keyname->}`.
@ -101,7 +101,7 @@ Right padding modifier example
| | |
| --- | --- |
| **Pattern** | `%{ts->} %{{level}}` |
| **Pattern** | `%{ts->} %{level}` |
| **Input** | 1998-08-10T17:15:42,466 WARN |
| **Result** | * ts = 1998-08-10T17:15:42,466<br>* level = WARN<br> |
@ -111,7 +111,7 @@ Right padding modifier with empty key example
| | |
| --- | --- |
| **Pattern** | `[%{{ts}}]%{->}[%{{level}}]` |
| **Pattern** | `[%{ts}]%{->}[%{level}]` |
| **Input** | [1998-08-10T17:15:42,466] [WARN] |
| **Result** | * ts = 1998-08-10T17:15:42,466<br>* level = WARN<br> |
@ -153,7 +153,7 @@ Named skip key modifier example
| | |
| --- | --- |
| **Pattern** | `%{{clientip}} %{?ident} %{?auth} [%{@timestamp}]` |
| **Pattern** | `%{clientip} %{?ident} %{?auth} [%{@timestamp}]` |
| **Input** | 1.2.3.4 - - [30/Apr/1998:22:00:52 +0000] |
| **Result** | * clientip = 1.2.3.4<br>* @timestamp = 30/Apr/1998:22:00:52 +0000<br> |
@ -167,7 +167,7 @@ Reference key modifier example
| | |
| --- | --- |
| **Pattern** | `[%{{ts}}] [%{{level}}] %{*p1}:%{&p1} %{*p2}:%{&p2}` |
| **Pattern** | `[%{ts}] [%{level}] %{*p1}:%{&p1} %{*p2}:%{&p2}` |
| **Input** | [2018-08-10T17:15:42,466] [ERR] ip:1.2.3.4 error:REFUSED |
| **Result** | * ts = 2018-08-10T17:15:42,466<br>* level = ERR<br>* ip = 1.2.3.4<br>* error = REFUSED<br> |