Skip to content

Commit e84d27c

Browse files
georgewallacejoshua-adams-1
authored andcommitted
Update dissect-processor.md (elastic#128708)
1 parent 1756b42 commit e84d27c

File tree

1 file changed

+8
-8
lines changed

1 file changed

+8
-8
lines changed

docs/reference/enrich-processor/dissect-processor.md

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ and result in a document with the following fields:
4646

4747
A dissect pattern is defined by the parts of the string that will be discarded. In the previous example, the first part to be discarded is a single space. Dissect finds this space, then assigns the value of `clientip` everything up until that space. Next, dissect matches the `[` and then `]` and then assigns `@timestamp` to everything in-between `[` and `]`. Paying special attention to the parts of the string to discard will help build successful dissect patterns.
4848

49-
Successful matches require all keys in a pattern to have a value. If any of the `%{{keyname}}` defined in the pattern do not have a value, then an exception is thrown and may be handled by the [`on_failure`](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md#handling-pipeline-failures) directive. An empty key `%{}` or a [named skip key](#dissect-modifier-named-skip-key) can be used to match values, but exclude the value from the final document. All matched values are represented as string data types. The [convert processor](/reference/enrich-processor/convert-processor.md) may be used to convert to expected data type.
49+
Successful matches require all keys in a pattern to have a value. If any of the `%{keyname}` defined in the pattern do not have a value, then an exception is thrown and may be handled by the [`on_failure`](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md#handling-pipeline-failures) directive. An empty key `%{}` or a [named skip key](#dissect-modifier-named-skip-key) can be used to match values, but exclude the value from the final document. All matched values are represented as string data types. The [convert processor](/reference/enrich-processor/convert-processor.md) may be used to convert to expected data type.
5050

5151
Dissect also supports [key modifiers](#dissect-key-modifiers) that can change dissect’s default behavior. For example you can instruct dissect to ignore certain fields, append fields, skip over padding, etc. See [below](#dissect-key-modifiers) for more information.
5252

@@ -75,7 +75,7 @@ $$$dissect-options$$$
7575

7676
## Dissect key modifiers [dissect-key-modifiers]
7777

78-
Key modifiers can change the default behavior for dissection. Key modifiers may be found on the left or right of the `%{{keyname}}` always inside the `%{` and `}`. For example `%{+keyname ->}` has the append and right padding modifiers.
78+
Key modifiers can change the default behavior for dissection. Key modifiers may be found on the left or right of the `%{keyname}` always inside the `%{` and `}`. For example `%{+keyname ->}` has the append and right padding modifiers.
7979

8080
$$$dissect-key-modifiers-table$$$
8181

@@ -89,9 +89,9 @@ $$$dissect-key-modifiers-table$$$
8989

9090
### Right padding modifier (`->`) [dissect-modifier-skip-right-padding]
9191

92-
The algorithm that performs the dissection is very strict in that it requires all characters in the pattern to match the source string. For example, the pattern `%{{fookey}} %{{barkey}}` (1 space), will match the string "foo bar" (1 space), but will not match the string "foo bar" (2 spaces) since the pattern has only 1 space and the source string has 2 spaces.
92+
The algorithm that performs the dissection is very strict in that it requires all characters in the pattern to match the source string. For example, the pattern `%{fookey} %{barkey}` (1 space), will match the string "foo bar" (1 space), but will not match the string "foo bar" (2 spaces) since the pattern has only 1 space and the source string has 2 spaces.
9393

94-
The right padding modifier helps with this case. Adding the right padding modifier to the pattern `%{fookey->} %{{barkey}}`, It will now will match "foo bar" (1 space) and "foo bar" (2 spaces) and even "foo bar" (10 spaces).
94+
The right padding modifier helps with this case. Adding the right padding modifier to the pattern `%{fookey->} %{barkey}`, It will now will match "foo bar" (1 space) and "foo bar" (2 spaces) and even "foo bar" (10 spaces).
9595

9696
Use the right padding modifier to allow for repetition of the characters after a `%{keyname->}`.
9797

@@ -101,7 +101,7 @@ Right padding modifier example
101101

102102
| | |
103103
| --- | --- |
104-
| **Pattern** | `%{ts->} %{{level}}` |
104+
| **Pattern** | `%{ts->} %{level}` |
105105
| **Input** | 1998-08-10T17:15:42,466 WARN |
106106
| **Result** | * ts = 1998-08-10T17:15:42,466<br>* level = WARN<br> |
107107

@@ -111,7 +111,7 @@ Right padding modifier with empty key example
111111

112112
| | |
113113
| --- | --- |
114-
| **Pattern** | `[%{{ts}}]%{->}[%{{level}}]` |
114+
| **Pattern** | `[%{ts}]%{->}[%{level}]` |
115115
| **Input** | [1998-08-10T17:15:42,466] [WARN] |
116116
| **Result** | * ts = 1998-08-10T17:15:42,466<br>* level = WARN<br> |
117117

@@ -153,7 +153,7 @@ Named skip key modifier example
153153

154154
| | |
155155
| --- | --- |
156-
| **Pattern** | `%{{clientip}} %{?ident} %{?auth} [%{@timestamp}]` |
156+
| **Pattern** | `%{clientip} %{?ident} %{?auth} [%{@timestamp}]` |
157157
| **Input** | 1.2.3.4 - - [30/Apr/1998:22:00:52 +0000] |
158158
| **Result** | * clientip = 1.2.3.4<br>* @timestamp = 30/Apr/1998:22:00:52 +0000<br> |
159159

@@ -167,7 +167,7 @@ Reference key modifier example
167167

168168
| | |
169169
| --- | --- |
170-
| **Pattern** | `[%{{ts}}] [%{{level}}] %{*p1}:%{&p1} %{*p2}:%{&p2}` |
170+
| **Pattern** | `[%{ts}] [%{level}] %{*p1}:%{&p1} %{*p2}:%{&p2}` |
171171
| **Input** | [2018-08-10T17:15:42,466] [ERR] ip:1.2.3.4 error:REFUSED |
172172
| **Result** | * ts = 2018-08-10T17:15:42,466<br>* level = ERR<br>* ip = 1.2.3.4<br>* error = REFUSED<br> |
173173

0 commit comments

Comments
 (0)