Skip to main content

Dissect

Parse Elastic Compatible

Schema

dissect:
  - field: <ident>
  - pattern: <string>
  - append_separator: <char>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>

Synopsis

Extracts values from strings using predefined patterns without regular expressions.

Configuration

FieldRequiredDefaultDescription
fieldY-Field containing the string to dissect
patternY-Pattern with named capture groups using %{key} syntax
append_separatorN" "Single character used as separator when appending fields
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseSee Handling Failures
ignore_missingNfalseIf true and field doesn't exist or is null, exit quietly
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier

Details

The processor splits input strings on delimiters and assigns values to named keys specified in the pattern.

Patterns are matched verbatim. Use %{keyname} to capture values into named fields: nested fields can be created using dot notation in key names. The captured values are stored as strings.

note

Unlike regular expressions, dissect patterns require exact matching of separators and spacing. Use pattern modifiers to handle variable whitespace.

The input string must be fully consumed by the pattern, and all named groups—i.e. %{keyname}—must capture a value.

note

Use the ignore_missing flag when the field may not always exist, and ignore_failure when pattern matching failures should be tolerated.

warning

The separator in append_separator must be a single character. All named capture groups must extract a non-empty value.

Examples

Basic Extraction

Extracting first name, last name, and age...

{
  "message": "John Doe 28"
}
dissect:
  - field: message
  - pattern: "%{firstname} %{lastname} %{age}"

creates separate fields:

{
  "message": "John Doe 28",
  "firstname": "John",
  "lastname": "Doe",
  "age": "28"
}

Nested Fields

Extracting error details from a log message...

{
  "checkpoint": {
    "additional_info": "Administrator failed to log in: Wrong Password",
    "operation": "Log In",
    "audit_status": "Failure"
  }
}
dissect:
  - field: checkpoint.additional_info
  - pattern: "Administrator failed to log in: %{event.reason}"
  - if: ctx.checkpoint?.operation == 'Log In' && ctx.checkpoint.audit_status == 'Failure'

creates a nested event structure:

{
  "checkpoint": {
    "additional_info": "Administrator failed to log in: Wrong Password",
    "operation": "Log In", 
    "audit_status": "Failure"
  },
  "event": {
    "reason": "Wrong Password"
  }
}

Non-String Fields

When the field is not a string...

{
  "message": 12345
}
dissect:
  - field: message
  - pattern: "%{data}"
  - ignore_failure: true

the raised error is captured:

{
  "message": 12345,
  "error": {
    "message": "field value is not a string"
  }
}

Error Handling

If the pattern doesn't match...

{
  "message": "John Doe"
}
dissect:
  - field: message
  - pattern: "%{firstname} %{lastname} %{age}"
  - ignore_failure: true

the raised error can be ignored:

{
  "message": "John Doe",
  "error": {
    "message": "pattern and string value do not match"
  }
}