elasticsearch/docs/reference/ingest/ingest-node.asciidoc

[[pipe-line]]
== Pipeline Definition

A pipeline is a definition of  a series of <<ingest-processors, processors>> that are to be executed
in the same order as they are declared. A pipeline consists of two main fields: a `description`
and a list of `processors`:

[source,js]
--------------------------------------------------
{
  "description" : "...",
  "processors" : [ ... ]
}
--------------------------------------------------

The `description` is a special field to store a helpful description of
what the pipeline does.

The `processors` parameter defines a list of processors to be executed in
order.

[[ingest-apis]]
== Ingest APIs

The following ingest APIs are available for managing pipelines:

* <<put-pipeline-api>> to add or update a pipeline
* <<get-pipeline-api>> to return a specific pipeline
* <<delete-pipeline-api>> to delete a pipeline
* <<simulate-pipeline-api>> to simulate a call to a pipeline

[[put-pipeline-api]]
=== Put Pipeline API

The put pipeline API adds pipelines and updates existing pipelines in the cluster.

[source,js]
--------------------------------------------------
PUT _ingest/pipeline/my-pipeline-id
{
  "description" : "describe pipeline",
  "processors" : [
    {
      "simple" : {
        // settings
      }
    },
    // other processors
  ]
}
--------------------------------------------------
// AUTOSENSE

NOTE: The put pipeline API also instructs all ingest nodes to reload their in-memory representation of pipelines, so that
      pipeline changes take effect immediately.

[[get-pipeline-api]]
=== Get Pipeline API

The get pipeline API returns pipelines based on ID. This API always returns a local reference of the pipeline.

[source,js]
--------------------------------------------------
GET _ingest/pipeline/my-pipeline-id
--------------------------------------------------
// AUTOSENSE

Example response:

[source,js]
--------------------------------------------------
{
   "my-pipeline-id": {
      "_source" : {
        "description": "describe pipeline",
        "processors": [
          {
            "simple" : {
              // settings
            }
          },
          // other processors
        ]
      },
      "_version" : 0
   }
}
--------------------------------------------------

For each returned pipeline, the source and the version are returned.
The version is useful for knowing which version of the pipeline the node has.
You can specify multiple IDs to return more than one pipeline. Wildcards are also supported.

[[delete-pipeline-api]]
=== Delete Pipeline API

The delete pipeline API deletes pipelines by ID.

[source,js]
--------------------------------------------------
DELETE _ingest/pipeline/my-pipeline-id
--------------------------------------------------
// AUTOSENSE

[[simulate-pipeline-api]]
=== Simulate Pipeline API

The simulate pipeline API executes a specific pipeline against
the set of documents provided in the body of the request.

You can either specify an existing pipeline to execute
against the provided documents, or supply a pipeline definition in
the body of the request.

Here is the structure of a simulate request with a pipeline definition provided
in the body of the request:

[source,js]
--------------------------------------------------
POST _ingest/pipeline/_simulate
{
  "pipeline" : {
    // pipeline definition here
  },
  "docs" : [
    { /** first document **/ },
    { /** second document **/ },
    // ...
  ]
}
--------------------------------------------------

Here is the structure of a simulate request against an existing pipeline:

[source,js]
--------------------------------------------------
POST _ingest/pipeline/my-pipeline-id/_simulate
{
  "docs" : [
    { /** first document **/ },
    { /** second document **/ },
    // ...
  ]
}
--------------------------------------------------


Here is an example of a simulate request with a pipeline defined in the request
and its response:

[source,js]
--------------------------------------------------
POST _ingest/pipeline/_simulate
{
  "pipeline" :
  {
    "description": "_description",
    "processors": [
      {
        "set" : {
          "field" : "field2",
          "value" : "_value"
        }
      }
    ]
  },
  "docs": [
    {
      "_index": "index",
      "_type": "type",
      "_id": "id",
      "_source": {
        "foo": "bar"
      }
    },
    {
      "_index": "index",
      "_type": "type",
      "_id": "id",
      "_source": {
        "foo": "rab"
      }
    }
  ]
}
--------------------------------------------------
// AUTOSENSE

Response:

[source,js]
--------------------------------------------------
{
   "docs": [
      {
         "doc": {
            "_id": "id",
            "_ttl": null,
            "_parent": null,
            "_index": "index",
            "_routing": null,
            "_type": "type",
            "_timestamp": null,
            "_source": {
               "field2": "_value",
               "foo": "bar"
            },
            "_ingest": {
               "timestamp": "2016-01-04T23:53:27.186+0000"
            }
         }
      },
      {
         "doc": {
            "_id": "id",
            "_ttl": null,
            "_parent": null,
            "_index": "index",
            "_routing": null,
            "_type": "type",
            "_timestamp": null,
            "_source": {
               "field2": "_value",
               "foo": "rab"
            },
            "_ingest": {
               "timestamp": "2016-01-04T23:53:27.186+0000"
            }
         }
      }
   ]
}
--------------------------------------------------

[[ingest-verbose-param]]
==== Viewing Verbose Results
You can use the simulate pipeline API to see how each processor affects the ingest document
as it passes through the pipeline. To see the intermediate results of
each processor in the simulate request, you can add the `verbose` parameter
to the request.

Here is an example of a verbose request and its response:

[source,js]
--------------------------------------------------
POST _ingest/pipeline/_simulate?verbose
{
  "pipeline" :
  {
    "description": "_description",
    "processors": [
      {
        "set" : {
          "field" : "field2",
          "value" : "_value2"
        }
      },
      {
        "set" : {
          "field" : "field3",
          "value" : "_value3"
        }
      }
    ]
  },
  "docs": [
    {
      "_index": "index",
      "_type": "type",
      "_id": "id",
      "_source": {
        "foo": "bar"
      }
    },
    {
      "_index": "index",
      "_type": "type",
      "_id": "id",
      "_source": {
        "foo": "rab"
      }
    }
  ]
}
--------------------------------------------------
// AUTOSENSE

Response:

[source,js]
--------------------------------------------------
{
   "docs": [
      {
         "processor_results": [
            {
               "tag": "processor[set]-0",
               "doc": {
                  "_id": "id",
                  "_ttl": null,
                  "_parent": null,
                  "_index": "index",
                  "_routing": null,
                  "_type": "type",
                  "_timestamp": null,
                  "_source": {
                     "field2": "_value2",
                     "foo": "bar"
                  },
                  "_ingest": {
                     "timestamp": "2016-01-05T00:02:51.383+0000"
                  }
               }
            },
            {
               "tag": "processor[set]-1",
               "doc": {
                  "_id": "id",
                  "_ttl": null,
                  "_parent": null,
                  "_index": "index",
                  "_routing": null,
                  "_type": "type",
                  "_timestamp": null,
                  "_source": {
                     "field3": "_value3",
                     "field2": "_value2",
                     "foo": "bar"
                  },
                  "_ingest": {
                     "timestamp": "2016-01-05T00:02:51.383+0000"
                  }
               }
            }
         ]
      },
      {
         "processor_results": [
            {
               "tag": "processor[set]-0",
               "doc": {
                  "_id": "id",
                  "_ttl": null,
                  "_parent": null,
                  "_index": "index",
                  "_routing": null,
                  "_type": "type",
                  "_timestamp": null,
                  "_source": {
                     "field2": "_value2",
                     "foo": "rab"
                  },
                  "_ingest": {
                     "timestamp": "2016-01-05T00:02:51.384+0000"
                  }
               }
            },
            {
               "tag": "processor[set]-1",
               "doc": {
                  "_id": "id",
                  "_ttl": null,
                  "_parent": null,
                  "_index": "index",
                  "_routing": null,
                  "_type": "type",
                  "_timestamp": null,
                  "_source": {
                     "field3": "_value3",
                     "field2": "_value2",
                     "foo": "rab"
                  },
                  "_ingest": {
                     "timestamp": "2016-01-05T00:02:51.384+0000"
                  }
               }
            }
         ]
      }
   ]
}
--------------------------------------------------

[[accessing-data-in-pipelines]]
== Accessing Data in Pipelines

The processors in a pipeline have read and write access to documents that pass through the pipeline.
The processors can access fields in the source of a document and the document's metadata fields.

[float]
[[accessing-source-fields]]
=== Accessing Fields in the Source
Accessing a field in the source is straightforward. You simply refer to fields by
their name. For example:

[source,js]
--------------------------------------------------
{
  "set": {
    "field": "my_field"
    "value": 582.1
  }
}
--------------------------------------------------

On top of this, fields from the source are always accessible via the `_source` prefix:

[source,js]
--------------------------------------------------
{
  "set": {
    "field": "_source.my_field"
    "value": 582.1
  }
}
--------------------------------------------------

[float]
[[accessing-metadata-fields]]
=== Accessing Metadata Fields
You can access metadata fields in the same way that you access fields in the source. This
is possible because Elasticsearch doesn't allow fields in the source that have the
same name as metadata fields.

The following example sets the `_id` metadata field of a document to `1`:

[source,js]
--------------------------------------------------
{
  "set": {
    "field": "_id"
    "value": "1"
  }
}
--------------------------------------------------

The following metadata fields are accessible by a processor: `_index`, `_type`, `_id`, `_routing`, `_parent`,
`_timestamp`, and `_ttl`.

[float]
[[accessing-ingest-metadata]]
=== Accessing Ingest Metadata Fields
Beyond metadata fields and source fields, ingest also adds ingest metadata to the documents that it processes.
These metadata properties are accessible under the `_ingest` key. Currently ingest adds the ingest timestamp
under the `_ingest.timestamp` key of the ingest metadata. The ingest timestamp is the time when Elasticsearch
received the index or bulk request to pre-process the document.

Any processor can add ingest-related metadata during document processing. Ingest metadata is transient
and is lost after a document has been processed by the pipeline. Therefore, ingest metadata won't be indexed.

The following example adds a field with the name `received`. The value is the ingest timestamp:

[source,js]
--------------------------------------------------
{
  "set": {
    "field": "received"
    "value": "{{_ingest.timestamp}}"
  }
}
--------------------------------------------------

Unlike Elasticsearch metadata fields, the ingest metadata field name `_ingest` can be used as a valid field name
in the source of a document. Use `_source._ingest` to refer to the field in the source document. Otherwise, `_ingest`
will be interpreted as an ingest metadata field.

[float]
[[accessing-template-fields]]
=== Accessing Fields and Metafields in Templates
A number of processor settings also support templating. Settings that support templating can have zero or more
template snippets. A template snippet begins with `{{` and ends with `}}`.
Accessing fields and metafields in templates is exactly the same as via regular processor field settings.

The following example adds a field named `field_c`. Its value is a concatenation of
the values of `field_a` and `field_b`.

[source,js]
--------------------------------------------------
{
  "set": {
    "field": "field_c"
    "value": "{{field_a}} {{field_b}}"
  }
}
--------------------------------------------------

The following example uses the value of the `geoip.country_iso_code` field in the source
to set the index that the document will be indexed into:

[source,js]
--------------------------------------------------
{
  "set": {
    "field": "_index"
    "value": "{{geoip.country_iso_code}}"
  }
}
--------------------------------------------------

[[handling-failure-in-pipelines]]
== Handling Failures in Pipelines

In its simplest use case, a pipeline defines a list of processors that
are executed sequentially, and processing halts at the first exception. This
behavior may not be desirable when failures are expected. For example, you may have logs
that don't match the specified grok expression. Instead of halting execution, you may
want to index such documents into a separate index.

To enable this behavior, you can use the `on_failure` parameter. The `on_failure` parameter
defines a list of processors to be executed immediately following the failed processor.
You can specify this parameter at the pipeline level, as well as at the processor
level. If a processor specifies an `on_failure` configuration, whether
it is empty or not, any exceptions that are thrown by the processor are caught, and the
pipeline continues executing the remaining processors. Because you can define further processors
within the scope of an `on_failure` statement, you can nest failure handling.

The following example defines a pipeline that renames the `foo` field in
the processed document to `bar`. If the document does not contain the `foo` field, the processor
attaches an error message to the document for later analysis within
Elasticsearch.

[source,js]
--------------------------------------------------
{
  "description" : "my first pipeline with handled exceptions",
  "processors" : [
    {
      "rename" : {
        "field" : "foo",
        "to" : "bar",
        "on_failure" : [
          {
            "set" : {
              "field" : "error",
              "value" : "field \"foo\" does not exist, cannot rename to \"bar\""
            }
          }
        ]
      }
    }
  ]
}
--------------------------------------------------

The following example defines an `on_failure` block on a whole pipeline to change
the index to which failed documents get sent.

[source,js]
--------------------------------------------------
{
  "description" : "my first pipeline with handled exceptions",
  "processors" : [ ... ],
  "on_failure" : [
    {
      "set" : {
        "field" : "_index",
        "value" : "failed-{{ _index }}"
      }
    }
  ]
}
--------------------------------------------------

[float]
[[accessing-error-metadata]]
=== Accessing Error Metadata From Processors Handling Exceptions

You may want to retrieve the actual error message that was thrown
by a failed processor. To do so you can access metadata fields called
`on_failure_message`, `on_failure_processor_type`, and `on_failure_processor_tag`. These fields are only accessible
from within the context of an `on_failure` block.

Here is an updated version of the example that you
saw earlier. But instead of setting the error message manually, the example leverages the `on_failure_message`
metadata field to provide the error message.

[source,js]
--------------------------------------------------
{
  "description" : "my first pipeline with handled exceptions",
  "processors" : [
    {
      "rename" : {
        "field" : "foo",
        "to" : "bar",
        "on_failure" : [
          {
            "set" : {
              "field" : "error",
              "value" : "{{ _ingest.on_failure_message }}"
            }
          }
        ]
      }
    }
  ]
}
--------------------------------------------------

[[ingest-processors]]
== Processors

All processors are defined in the following way within a pipeline definition:

[source,js]
--------------------------------------------------
{
  "PROCESSOR_NAME" : {
    ... processor configuration options ...
  }
}
--------------------------------------------------

Each processor defines its own configuration parameters, but all processors have
the ability to declare `tag` and `on_failure` fields. These fields are optional.

A `tag` is simply a string identifier of the specific instantiation of a certain
processor in a pipeline. The `tag` field does not affect the processor's behavior,
but is very useful for bookkeeping and tracing errors to specific processors.

See <<handling-failure-in-pipelines>> to learn more about the `on_failure` field and error handling in pipelines.

The <<ingest-info,node info API>> can be used to figure out what processors are available in a cluster.
The <<ingest-info,node info API>> will provide a per node list of what processors are available.

Custom processors must be installed on all nodes. The put pipeline API will fail if a processor specified in a pipeline
doesn't exist on all nodes. If you rely on custom processor plugins make sure to mark these plugins as mandatory by adding
`plugin.mandatory` setting to the `config/elasticsearch.yml` file, for example:

[source,yaml]
--------------------------------------------------
plugin.mandatory: ingest-attachment,ingest-geoip
--------------------------------------------------

A node will not start if either of these plugins are not available.

[[append-procesesor]]
=== Append Processor
Appends one or more values to an existing array if the field already exists and it is an array.
Converts a scalar to an array and appends one or more values to it if the field exists and it is a scalar.
Creates an array containing the provided values if the field doesn't exist.
Accepts a single value or an array of values.

[[append-options]]
.Append Options
[options="header"]
|======
| Name      | Required  | Default  | Description
| `field`   | yes       | -        | The field to be appended to
| `value`   | yes       | -        | The value to be appended
|======

[source,js]
--------------------------------------------------
{
  "append": {
    "field": "field1"
    "value": ["item2", "item3", "item4"]
  }
}
--------------------------------------------------

[[convert-processor]]
=== Convert Processor
Converts an existing field's value to a different type, such as converting a string to an integer.
If the field value is an array, all members will be converted.

The supported types include: `integer`, `float`, `string`, and `boolean`.

Specifying `boolean` will set the field to true if its string value is equal to `true` (ignore case), to
false if its string value is equal to `false` (ignore case), or it will throw an exception otherwise.

[[convert-options]]
.Convert Options
[options="header"]
|======
| Name      | Required  | Default  | Description
| `field`   | yes       | -        | The field whose value is to be converted
| `type`    | yes       | -        | The type to convert the existing value to
|======

[source,js]
--------------------------------------------------
{
  "convert": {
    "field" : "foo"
    "type": "integer"
  }
}
--------------------------------------------------

[[date-processor]]
=== Date Processor

Parses dates from fields, and then uses the date or timestamp as the timestamp for the document.
By default, the date processor adds the parsed date as a new field called `@timestamp`. You can specify a
different field by setting the `target_field` configuration parameter. Multiple date formats are supported
as part of the same date processor definition. They will be used sequentially to attempt parsing the date field,
in the same order they were defined as part of the processor definition.

[[date-options]]
.Date options
[options="header"]
|======
| Name                   | Required  | Default             | Description
| `match_field`          | yes       | -                   | The field to get the date from.
| `target_field`         | no        | @timestamp          | The field that will hold the parsed date.
| `match_formats`        | yes       | -                   | An array of the expected date formats. Can be a Joda pattern or one of the following formats: ISO8601, UNIX, UNIX_MS, or TAI64N.
| `timezone`             | no        | UTC                 | The timezone to use when parsing the date.
| `locale`               | no        | ENGLISH             | The locale to use when parsing the date, relevant when parsing month names or week days.
|======

Here is an example that adds the parsed date to the `timestamp` field based on the `initial_date` field:

[source,js]
--------------------------------------------------
{
  "description" : "...",
  "processors" : [
    {
      "date" : {
        "match_field" : "initial_date",
        "target_field" : "timestamp",
        "match_formats" : ["dd/MM/yyyy hh:mm:ss"],
        "timezone" : "Europe/Amsterdam"
      }
    }
  ]
}
--------------------------------------------------

[[fail-processor]]
=== Fail Processor
Raises an exception. This is useful for when
you expect a pipeline to fail and want to relay a specific message
to the requester.

[[fail-options]]
.Fail Options
[options="header"]
|======
| Name       | Required  | Default  | Description
| `message`  | yes       | -        | The error message of the `FailException` thrown by the processor
|======

[source,js]
--------------------------------------------------
{
  "fail": {
    "message": "an error message"
  }
}
--------------------------------------------------

[[foreach-processor]]
=== Foreach Processor
Processes elements in an array of unknown length.

All processors can operate on elements inside an array, but if all elements of an array need to
be processed in the same way, defining a processor for each element becomes cumbersome and tricky
because it is likely that the number of elements in an array is unknown. For this reason the `foreach`
processor exists. By specifying the field holding array elements and a list of processors that
define what should happen to each element, array fields can easily be preprocessed.

Processors inside the foreach processor work in a different context, and the only valid top-level
field is `_value`, which holds the array element value. Under this field other fields may exist.

If the `foreach` processor fails to process an element inside the array, and no `on_failure` processor has been specified,
then it aborts the execution and leaves the array unmodified.

[[foreach-options]]
.Foreach Options
[options="header"]
|======
| Name          | Required  | Default  | Description
| `field`       | yes       | -        | The array field
| `processors`  | yes       | -        | The processors
|======

Assume the following document:

[source,js]
--------------------------------------------------
{
  "value" : ["foo", "bar", "baz"]
}
--------------------------------------------------

When this `foreach` processor operates on this sample document:

[source,js]
--------------------------------------------------
{
  "foreach" : {
    "field" : "values",
    "processors" : [
      {
        "uppercase" : {
          "field" : "_value"
        }
      }
    ]
  }
}
--------------------------------------------------

Then the document will look like this after preprocessing:

[source,js]
--------------------------------------------------
{
  "value" : ["FOO", "BAR", "BAZ"]
}
--------------------------------------------------

Let's take a look at another example:

[source,js]
--------------------------------------------------
{
  "persons" : [
    {
      "id" : "1",
      "name" : "John Doe"
    },
    {
      "id" : "2",
      "name" : "Jane Doe"
    }
  ]
}
--------------------------------------------------

In this case, the `id` field needs to be removed,
so the following `foreach` processor is used:

[source,js]
--------------------------------------------------
{
  "foreach" : {
    "field" : "persons",
    "processors" : [
      {
        "remove" : {
          "field" : "_value.id"
        }
      }
    ]
  }
}
--------------------------------------------------

After preprocessing the result is:

[source,js]
--------------------------------------------------
{
  "persons" : [
    {
      "name" : "John Doe"
    },
    {
      "name" : "Jane Doe"
    }
  ]
}
--------------------------------------------------

As for any processor, you can define `on_failure` processors
in processors that are wrapped inside the `foreach` processor.

For example, the `id` field may not exist on all person objects.
Instead of failing the index request, you can use an `on_failure`
block to send the document to the 'failure_index' index for later inspection:

[source,js]
--------------------------------------------------
{
  "foreach" : {
    "field" : "persons",
    "processors" : [
      {
        "remove" : {
          "field" : "_value.id",
          "on_failure" : [
            {
              "set" : {
                "field", "_index",
                "value", "failure_index"
              }
            }
          ]
        }
      }
    ]
  }
}
--------------------------------------------------

In this example, if the `remove` processor does fail, then
the array elements that have been processed thus far will
be updated.

[[grok-processor]]
=== Grok Processor

Extracts structured fields out of a single text field within a document. You choose which field to
extract matched fields from, as well as the grok pattern you expect will match. A grok pattern is like a regular
expression that supports aliased expressions that can be reused.

This tool is perfect for syslog logs, apache and other webserver logs, mysql logs, and in general, any log format
that is generally written for humans and not computer consumption.

The processor comes packaged with over 120 reusable patterns that are located at `$ES_HOME/config/ingest/grok/patterns`.
Here, you can add your own custom grok pattern files with custom grok expressions to be used by the processor.

If you need help building patterns to match your logs, you will find the <http://grokdebug.herokuapp.com> and
<http://grokconstructor.appspot.com/> applications quite useful!

[[grok-basics]]
==== Grok Basics

Grok sits on top of regular expressions, so any regular expressions are valid in grok as well.
The regular expression library is Oniguruma, and you can see the full supported regexp syntax
https://github.com/kkos/oniguruma/blob/master/doc/RE[on the Onigiruma site].

Grok works by leveraging this regular expression language to allow naming existing patterns and combining them into more
complex patterns that match your fields.

The syntax for reusing a grok pattern comes in three forms: `%{SYNTAX:SEMANTIC}`, `%{SYNTAX}`, `%{SYNTAX:SEMANTIC:TYPE}`.

The `SYNTAX` is the name of the pattern that will match your text. For example, `3.44` will be matched by the `NUMBER`
pattern and `55.3.244.1` will be matched by the `IP` pattern. The syntax is how you match. `NUMBER` and `IP` are both
patterns that are provided within the default patterns set.

The `SEMANTIC` is the identifier you give to the piece of text being matched. For example, `3.44` could be the
duration of an event, so you could call it simply `duration`. Further, a string `55.3.244.1` might identify
the `client` making a request.

The `TYPE` is the type you wish to cast your named field. `int` and `float` are currently the only types supported for coercion.

For example, you might want to match the following text:

[source,js]
--------------------------------------------------
3.44 55.3.244.1
--------------------------------------------------

You may know that the message in the example is a number followed by an IP address. You can match this text by using the following
Grok expression.

[source,js]
--------------------------------------------------
%{NUMBER:duration} %{IP:client}
--------------------------------------------------

[[custom-patterns]]
==== Custom Patterns and Pattern Files

The Grok processor comes pre-packaged with a base set of pattern files. These patterns may not always have
what you are looking for. These pattern files have a very basic format. Each line describes a named pattern with
the following format:

[source,js]
--------------------------------------------------
NAME ' '+ PATTERN '\n'
--------------------------------------------------

You can add new patterns to an existing file, or add your own file in the patterns directory here: `$ES_HOME/config/ingest/grok/patterns`.
Ingest node picks up files in this directory and loads the patterns into the grok processor's known patterns.
These patterns are loaded at startup, so you need to restart your ingest node if you want to update these files.

Here is an example snippet of pattern definitions found in the `grok-patterns` patterns file:

[source,js]
--------------------------------------------------
YEAR (?>\d\d){1,2}
HOUR (?:2[0123]|[01]?[0-9])
MINUTE (?:[0-5][0-9])
SECOND (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)
TIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
--------------------------------------------------

[[using-grok]]
==== Using the Grok Processor in a Pipeline

[[grok-options]]
.Grok Options
[options="header"]
|======
| Name                   | Required  | Default             | Description
| `field`                | yes       | -                   | The field to use for grok expression parsing
| `pattern`              | yes       | -                   | The grok expression to match and extract named captures with
| `pattern_definitions`  | no        | -                   | A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
|======

Here is an example of using the provided patterns to extract out and name structured fields from a string field in
a document.

[source,js]
--------------------------------------------------
{
  "message": "55.3.244.1 GET /index.html 15824 0.043"
}
--------------------------------------------------

The pattern for this could be:

[source,js]
--------------------------------------------------
%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}
--------------------------------------------------

Here is an example pipeline for processing the above document by using Grok:

[source,js]
--------------------------------------------------
{
  "description" : "...",
  "processors": [
    {
      "grok": {
        "field": "message",
        "pattern": "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}"
      }
    }
  ]
}
--------------------------------------------------

This pipeline will insert these named captures as new fields within the document, like so:

[source,js]
--------------------------------------------------
{
  "message": "55.3.244.1 GET /index.html 15824 0.043",
  "client": "55.3.244.1",
  "method": "GET",
  "request": "/index.html",
  "bytes": 15824,
  "duration": "0.043"
}
--------------------------------------------------

Here is an example of a pipeline specifying custom pattern definitions:

[source,js]
--------------------------------------------------
{
  "description" : "...",
  "processors": [
    {
      "grok": {
        "field": "message",
        "pattern": "my %{FAVORITE_DOG:dog} is colored %{RGB:color}"
        "pattern_definitions" : {
          "FAVORITE_DOG" : "beagle",
          "RGB" : "RED|GREEN|BLUE"
        }
      }
    }
  ]
}
--------------------------------------------------

[[gsub-processor]]
=== Gsub Processor
Converts a string field by applying a regular expression and a replacement.
If the field is not a string, the processor will throw an exception.

[[gsub-options]]
.Gsub Options
[options="header"]
|======
| Name          | Required  | Default  | Description
| `field`       | yes       | -        | The field to apply the replacement to
| `pattern`     | yes       | -        | The pattern to be replaced
| `replacement` | yes       | -        | The string to replace the matching patterns with
|======

[source,js]
--------------------------------------------------
{
  "gsub": {
    "field": "field1",
    "pattern": "\.",
    "replacement": "-"
  }
}
--------------------------------------------------

[[join-processor]]
=== Join Processor
Joins each element of an array into a single string using a separator character between each element.
Throws an error when the field is not an array.

[[join-options]]
.Join Options
[options="header"]
|======
| Name          | Required  | Default  | Description
| `field`       | yes       | -        | The field to be separated
| `separator`   | yes       | -        | The separator character
|======

[source,js]
--------------------------------------------------
{
  "join": {
    "field": "joined_array_field",
    "separator": "-"
  }
}
--------------------------------------------------

[[lowercase-processor]]
=== Lowercase Processor
Converts a string to its lowercase equivalent.

[[lowercase-options]]
.Lowercase Options
[options="header"]
|======
| Name     | Required  | Default  | Description
| `field`  | yes       | -        | The field to make lowercase
|======

[source,js]
--------------------------------------------------
{
  "lowercase": {
    "field": "foo"
  }
}
--------------------------------------------------

[[remove-processor]]
=== Remove Processor
Removes an existing field. If the field doesn't exist, an exception will be thrown.

[[remove-options]]
.Remove Options
[options="header"]
|======
| Name      | Required  | Default  | Description
| `field`   | yes       | -        | The field to be removed
|======

[source,js]
--------------------------------------------------
{
  "remove": {
    "field": "foo"
  }
}
--------------------------------------------------

[[rename-processor]]
=== Rename Processor
Renames an existing field. If the field doesn't exist or the new name is already used, an exception will be thrown.

[[rename-options]]
.Rename Options
[options="header"]
|======
| Name      | Required  | Default  | Description
| `field`   | yes       | -        | The field to be renamed
| `to`      | yes       | -        | The new name of the field
|======

[source,js]
--------------------------------------------------
{
  "rename": {
    "field": "foo",
    "to": "foobar"
  }
}
--------------------------------------------------

[[set-processor]]
=== Set Processor
Sets one field and associates it with the specified value. If the field already exists,
its value will be replaced with the provided one.

[[set-options]]
.Set Options
[options="header"]
|======
| Name      | Required  | Default  | Description
| `field`   | yes       | -        | The field to insert, upsert, or update
| `value`   | yes       | -        | The value to be set for the field
|======

[source,js]
--------------------------------------------------
{
  "set": {
    "field": "field1",
    "value": 582.1
  }
}
--------------------------------------------------

[[split-processor]]
=== Split Processor
Splits a field into an array using a separator character. Only works on string fields.

[[split-options]]
.Split Options
[options="header"]
|======
| Name     | Required  | Default  | Description
| `field`  | yes       | -        | The field to split
|======

[source,js]
--------------------------------------------------
{
  "split": {
    "field": ","
  }
}
--------------------------------------------------

[[trim-processor]]
=== Trim Processor
Trims whitespace from field.

NOTE: This only works on leading and trailing whitespace.

[[trim-options]]
.Trim Options
[options="header"]
|======
| Name     | Required  | Default  | Description
| `field`  | yes       | -        | The string-valued field to trim whitespace from
|======

[source,js]
--------------------------------------------------
{
  "trim": {
    "field": "foo"
  }
}
--------------------------------------------------

[[uppercase-processor]]
=== Uppercase Processor
Converts a string to its uppercase equivalent.

[[uppercase-options]]
.Uppercase Options
[options="header"]
|======
| Name     | Required  | Default  | Description
| `field`  | yes       | -        | The field to make uppercase
|======

[source,js]
--------------------------------------------------
{
  "uppercase": {
    "field": "foo"
  }
}
--------------------------------------------------