elasticsearch/docs/reference/esql/processing-commands/dissect.asciidoc

[discrete]
[[esql-dissect]]
=== `DISSECT`

`DISSECT` enables you to <<esql-process-data-with-dissect-and-grok,extract
structured data out of a string>>.

**Syntax**

[source,esql]
----
DISSECT input "pattern" [APPEND_SEPARATOR="<separator>"]
----

*Parameters*

`input`::
The column that contains the string you want to structure.  If the column has
multiple values, `DISSECT` will process each value.

`pattern`::
A <<esql-dissect-patterns,dissect pattern>>.
If a field name conflicts with an existing column, the existing column is dropped.
If a field name is used more than once, only the rightmost duplicate creates a column.

`<separator>`::
A string used as the separator between appended values, when using the <<esql-append-modifier,append modifier>>.

*Description*

`DISSECT` enables you to <<esql-process-data-with-dissect-and-grok,extract
structured data out of a string>>. `DISSECT` matches the string against a
delimiter-based pattern, and extracts the specified keys as columns.

Refer to <<esql-process-data-with-dissect>> for the syntax of dissect patterns.

*Examples*

// tag::examples[]
The following example parses a string that contains a timestamp, some text, and
an IP address:

[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=basicDissect]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=basicDissect-result]
|===

By default, `DISSECT` outputs keyword string columns. To convert to another
type, use <<esql-type-conversion-functions>>:

[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=dissectWithToDatetime]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=dissectWithToDatetime-result]
|===

// end::examples[]