lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215
							[[dissect-processor]]
=== Dissect processor
++++
<titleabbrev>Dissect</titleabbrev>
++++


Similar to the <<grok-processor,Grok Processor>>, dissect also extracts structured fields out of a single text field
within a document. However unlike the <<grok-processor,Grok Processor>>, dissect does not use
{wikipedia}/Regular_expression[Regular Expressions]. This allows dissect's syntax to be simple and for
some cases faster than the <<grok-processor,Grok Processor>>.

Dissect matches a single text field against a defined pattern.

For example the following pattern:
[source,txt]
--------------------------------------------------
%{clientip} %{ident} %{auth} [%{@timestamp}] \"%{verb} %{request} HTTP/%{httpversion}\" %{status} %{size}
--------------------------------------------------
will match a log line of this format:
[source,txt]
--------------------------------------------------
1.2.3.4 - - [30/Apr/1998:22:00:52 +0000] \"GET /english/venues/cities/images/montpellier/18.gif HTTP/1.0\" 200 3171
--------------------------------------------------
and result in a document with the following fields:
[source,js]
--------------------------------------------------
"doc": {
  "_index": "_index",
  "_type": "_type",
  "_id": "_id",
  "_source": {
    "request": "/english/venues/cities/images/montpellier/18.gif",
    "auth": "-",
    "ident": "-",
    "verb": "GET",
    "@timestamp": "30/Apr/1998:22:00:52 +0000",
    "size": "3171",
    "clientip": "1.2.3.4",
    "httpversion": "1.0",
    "status": "200"
  }
}
--------------------------------------------------
// NOTCONSOLE

// tag::intro-example-explanation[]
A dissect pattern is defined by the parts of the string that will be discarded. In the previous example, the first part
to be discarded is a single space. Dissect finds this space, then assigns the value of `clientip` everything up
until that space.
Next, dissect matches the `[` and then `]` and then assigns `@timestamp` to everything in-between `[` and `]`.
Paying special attention to the parts of the string to discard will help build successful dissect patterns.
// end::intro-example-explanation[]

Successful matches require all keys in a pattern to have a value. If any of the `%{keyname}` defined in the pattern do
not have a value, then an exception is thrown and may be handled by the <<handling-pipeline-failures,`on_failure`>> directive.
An empty key `%{}` or a <<dissect-modifier-named-skip-key, named skip key>> can be used to match values, but exclude the value from
the final document. All matched values are represented as string data types. The <<convert-processor, convert processor>>
may be used to convert to expected data type.

Dissect also supports <<dissect-key-modifiers,key modifiers>> that can change dissect's default
behavior. For example you can instruct dissect to ignore certain fields, append fields, skip over padding, etc.
See <<dissect-key-modifiers, below>> for more information.

[[dissect-options]]
.Dissect Options
[options="header"]
|======
| Name              | Required  | Default  | Description
| `field`           | yes       | -        | The field to dissect
| `pattern`         | yes       | -        | The pattern to apply to the field
| `append_separator`| no        | "" (empty string) | The character(s) that separate the appended fields.
| `ignore_missing`  | no        | false             | If `true` and `field` does not exist or is `null`, the processor quietly exits without modifying the document
include::common-options.asciidoc[]
|======

[source,js]
--------------------------------------------------
{
  "dissect": {
    "field": "message",
    "pattern" : "%{clientip} %{ident} %{auth} [%{@timestamp}] \"%{verb} %{request} HTTP/%{httpversion}\" %{status} %{size}"
   }
}
--------------------------------------------------
// NOTCONSOLE

[[dissect-key-modifiers]]
==== Dissect key modifiers
// tag::dissect-key-modifiers[]
Key modifiers can change the default behavior for dissection. Key modifiers may be found on the left or right
of the `%{keyname}` always inside the `%{` and `}`. For example `%{+keyname ->}` has the append and right padding
modifiers.
// end::dissect-key-modifiers[]

[[dissect-key-modifiers-table]]
.Dissect Key Modifiers
[options="header"]
|======
| Modifier      | Name               | Position       | Example                      | Description                                                  | Details
| `->`          | Skip right padding | (far) right    | `%{keyname1->}`  | Skips any repeated characters to the right                   | <<dissect-modifier-skip-right-padding,link>>
| `+`           | Append             | left           | `%{+keyname} %{+keyname}`    | Appends two or more fields together                          | <<dissect-modifier-append-key,link>>
| `+` with `/n` | Append with order  | left and right | `%{+keyname/2} %{+keyname/1}` | Appends two or more fields together in the order specified   | <<dissect-modifier-append-key-with-order,link>>
| `?`           | Named skip key     | left           | `%{?ignoreme}`  | Skips the matched value in the output. Same behavior as `%{}`| <<dissect-modifier-named-skip-key,link>>
| `*` and `&`   | Reference keys     | left           | `%{*r1} %{&r1}`    | Sets the output key as value of `*` and output value of `&`  | <<dissect-modifier-reference-keys,link>>
|======

[[dissect-modifier-skip-right-padding]]
===== Right padding modifier (`->`)

// tag::dissect-modifier-skip-right-padding[]
The algorithm that performs the dissection is very strict in that it requires all characters in the pattern to match
the source string. For example, the pattern `%{fookey} %{barkey}` (1 space), will match the string "foo{nbsp}bar"
(1 space), but will not match the string "foo{nbsp}{nbsp}bar" (2 spaces) since the pattern has only 1 space and the
source string has 2 spaces.

The right padding modifier helps with this case. Adding the right padding modifier to the pattern `%{fookey->} %{barkey}`,
It will now will match "foo{nbsp}bar" (1 space) and "foo{nbsp}{nbsp}bar" (2 spaces)
and even "foo{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}bar" (10 spaces).

Use the right padding modifier to allow for repetition of the characters after a `%{keyname->}`.

The right padding modifier may be placed on any key with any other modifiers. It should always be the furthest right
modifier. For example: `%{+keyname/1->}` and `%{->}`

Right padding modifier example
|======
| *Pattern* | `%{ts->} %{level}`
| *Input*   |  1998-08-10T17:15:42,466{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}WARN
| *Result*  a|
* ts = 1998-08-10T17:15:42,466
* level = WARN
|======

The right padding modifier may be used with an empty key to help skip unwanted data. For example, the same input string, but wrapped with brackets requires the use of an empty right padded key to achieve the same result.

Right padding modifier with empty key example
|======
| *Pattern* | `[%{ts}]%{->}[%{level}]`
| *Input*   | [1998-08-10T17:15:42,466]{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}{nbsp}[WARN]
| *Result*  a|
* ts = 1998-08-10T17:15:42,466
* level = WARN
|======
// end::dissect-modifier-skip-right-padding[]

[[append-modifier]]
===== Append modifier (`+`)
[[dissect-modifier-append-key]]
// tag::append-modifier[]
Dissect supports appending two or more results together for the output.
Values are appended left to right. An append separator can be specified.
In this example the append_separator is defined as a space.

Append modifier example
|======
| *Pattern* | `%{+name} %{+name} %{+name} %{+name}`
| *Input*   | john jacob jingleheimer schmidt
| *Result*  a|
* name = john jacob jingleheimer schmidt
|======
// end::append-modifier[]

[[append-order-modifier]]
===== Append with order modifier (`+` and `/n`)
[[dissect-modifier-append-key-with-order]]
// tag::append-order-modifier[]
Dissect supports appending two or more results together for the output.
Values are appended based on the order defined (`/n`). An append separator can be specified.
In this example the append_separator is defined as a comma.

Append with order modifier example
|======
| *Pattern* | `%{+name/2} %{+name/4} %{+name/3} %{+name/1}`
| *Input*   | john jacob jingleheimer schmidt
| *Result*  a|
* name = schmidt,john,jingleheimer,jacob
|======
// end::append-order-modifier[]

[[named-skip-key]]
===== Named skip key (`?`)
[[dissect-modifier-named-skip-key]]
// tag::named-skip-key[]
Dissect supports ignoring matches in the final result. This can be done with an empty key `%{}`, but for readability
it may be desired to give that empty key a name.

Named skip key modifier example
|======
| *Pattern* | `%{clientip} %{?ident} %{?auth} [%{@timestamp}]`
| *Input*   | 1.2.3.4 - - [30/Apr/1998:22:00:52 +0000]
| *Result*  a|
* clientip = 1.2.3.4
* @timestamp = 30/Apr/1998:22:00:52 +0000
|======
// end::named-skip-key[]

[[reference-keys]]
===== Reference keys (`*` and `&`)
[[dissect-modifier-reference-keys]]
// tag::reference-keys[]
Dissect support using parsed values as the key/value pairings for the structured content. Imagine a system that
partially logs in key/value pairs. Reference keys allow you to maintain that key/value relationship.

Reference key modifier example
|======
| *Pattern* | `[%{ts}] [%{level}] %{*p1}:%{&p1} %{*p2}:%{&p2}`
| *Input*   | [2018-08-10T17:15:42,466] [ERR] ip:1.2.3.4 error:REFUSED
| *Result*  a|
* ts = 2018-08-10T17:15:42,466
* level = ERR
* ip = 1.2.3.4
* error = REFUSED
|======
// end::reference-keys[]