DISSECT
Stack Serverless
DISSECT enables you to extract structured data out of a string.
Syntax
DISSECT input "pattern" [APPEND_SEPARATOR="<separator>"]
Parameters
input- The column that contains the string you want to structure. If the column has
multiple values,
DISSECTwill process each value. pattern- A dissect pattern. If a field name conflicts with an existing column, the existing column is dropped. If a field name is used more than once, only the rightmost duplicate creates a column.
<separator>- A string used as the separator between appended values, when using the append modifier.
Description
DISSECT enables you to extract structured data out of a string.
DISSECT matches the string against a delimiter-based pattern, and extracts the specified keys as columns.
Refer to Process data with DISSECT for the syntax of dissect patterns.
Examples
The following example parses a string that contains a timestamp, some text, and an IP address:
ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
| DISSECT a """%{date} - %{msg} - %{ip}"""
| KEEP date, msg, ip
| date:keyword | msg:keyword | ip:keyword |
|---|---|---|
| 2023-01-23T12:15:00.000Z | some text | 127.0.0.1 |
By default, DISSECT outputs keyword string columns. To convert to another
type, use Type conversion functions:
ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
| DISSECT a """%{date} - %{msg} - %{ip}"""
| KEEP date, msg, ip
| EVAL date = TO_DATETIME(date)
| msg:keyword | ip:keyword | date:date |
|---|---|---|
| some text | 127.0.0.1 | 2023-01-23T12:15:00.000Z |