- Fleet and Elastic Agent Guide: other versions:
- Fleet and Elastic Agent overview
- Beats and Elastic Agent capabilities
- Quick starts
- Migrate from Beats to Elastic Agent
- Deployment models
- Install Elastic Agents
- Install Fleet-managed Elastic Agents
- Install standalone Elastic Agents
- Install Elastic Agents in a containerized environment
- Run Elastic Agent in a container
- Run Elastic Agent on Kubernetes managed by Fleet
- Advanced Elastic Agent configuration managed by Fleet
- Configuring Kubernetes metadata enrichment on Elastic Agent
- Run Elastic Agent on GKE managed by Fleet
- Run Elastic Agent on Amazon EKS managed by Fleet
- Run Elastic Agent on Azure AKS managed by Fleet
- Run Elastic Agent Standalone on Kubernetes
- Scaling Elastic Agent on Kubernetes
- Using a custom ingest pipeline with the Kubernetes Integration
- Environment variables
- Install Elastic Agent from an MSI package
- Installation layout
- Air-gapped environments
- Using a proxy server with Elastic Agent and Fleet
- Uninstall Elastic Agents from edge hosts
- Start and stop Elastic Agents on edge hosts
- Elastic Agent configuration encryption
- Secure connections
- Manage Elastic Agents in Fleet
- Configure standalone Elastic Agents
- Create a standalone Elastic Agent policy
- Structure of a config file
- Inputs
- Providers
- Outputs
- SSL/TLS
- Logging
- Feature flags
- Agent download
- Config file examples
- Grant standalone Elastic Agents access to Elasticsearch
- Example: Use standalone Elastic Agent with Elastic Cloud Serverless to monitor nginx
- Example: Use standalone Elastic Agent with Elasticsearch Service to monitor nginx
- Debug standalone Elastic Agents
- Kubernetes autodiscovery with Elastic Agent
- Monitoring
- Reference YAML
- Manage integrations
- Define processors
- Processor syntax
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Command reference
- Troubleshoot
- Release notes
Dissect strings
editDissect strings
editThe dissect
processor tokenizes incoming strings using defined patterns.
Example
edit- dissect: tokenizer: "%{key1} %{key2} %{key3|convert_datatype}" field: "message" target_prefix: "dissect"
For a full example, see Dissect example.
Configuration settings
editElastic Agent processors execute before ingest pipelines, which means that your processor configurations cannot refer to fields that are created by ingest pipelines or Logstash. For more limitations, refer to What are some limitations of using processors?
Name | Required | Default | Description |
---|---|---|---|
|
Yes |
Field used to define the dissection pattern. You can provide an optional convert datatype after the key by using a pipe character ( |
|
|
No |
|
Event field to tokenize. |
|
No |
|
Name of the field where the values will be extracted. When an empty string is defined, the processor creates the keys at the root of the event. When the target key already exists in the event, the processor won’t replace it and log an error; you need to either drop or rename the key before using dissect, or enable the |
|
No |
|
Whether to return an error if the tokenizer fails to match the message field. If |
|
No |
|
Whether to overwrite existing keys. If |
|
No |
|
Enables the trimming of the extracted values. Useful to remove leading and trailing spaces. Possible values are:
|
|
No |
( |
Set of characters to trim from values when |
For tokenization to be successful, all keys must be found and extracted. If a key cannot be found, an error is logged, and no modification is done on the original event.
A key can contain any characters except reserved suffix or prefix modifiers: /
,&
, +
, #
and ?
.
See Conditions for a list of supported conditions.
Dissect example
editFor this example, imagine that an application generates the following messages:
"321 - App01 - WebServer is starting" "321 - App01 - WebServer is up and running" "321 - App01 - WebServer is scaling 2 pods" "789 - App02 - Database will be restarted in 5 minutes" "789 - App02 - Database is up and running" "789 - App02 - Database is refreshing tables"
Use the dissect
processor to split each message into three fields, for example, service.pid
,
service.name
, and service.status
:
- dissect: tokenizer: '"%{service.pid|integer} - %{service.name} - %{service.status}"' field: "message" target_prefix: ""
This configuration produces fields like:
"service": { "pid": 321, "name": "App01", "status": "WebServer is up and running" },
service.name
is an ECS keyword field, which means that you
can use it in Elasticsearch for filtering, sorting, and aggregations.
When possible, use ECS-compatible field names. For more information, see the Elastic Common Schema documentation.
On this page