## DISSECT

The `DISSECT` command in ES|QL allows you to extract structured data from a string. It matches the string against a delimiter-based pattern and extracts the specified keys as columns. This can be particularly useful when you need to parse a string that contains multiple pieces of information, such as a timestamp, some text, and an IP address.

### Syntax

The syntax for the `DISSECT` command is as follows:


`DISSECT input "pattern" [APPEND_SEPARATOR="<separator>"]`

Here, `input` is the column that contains the string you want to structure. If the column has multiple values, `DISSECT` will process each value. `pattern` is a dissect pattern that you want to match against the string. `<separator>` is an optional string used as the separator between appended values when using the append modifier.

### Examples

Here are some examples of how you can use the `DISSECT` command in ES|QL:

**Example 1:**

```esql
ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
| DISSECT a "%{date} - %{msg} - %{ip}"
| KEEP date, msg, ip
```

In this example, the `DISSECT` command is used to parse a string that contains a timestamp, some text, and an IP address. The command matches the string against the pattern `"%{date} - %{msg} - %{ip}"` and extracts the date, message, and IP address as separate columns.

**Example 2:**

```esql
ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
| DISSECT a "%{date} - %{msg} - %{ip}"
| KEEP date, msg, ip
| EVAL date = TO_DATETIME(date)
```

This example is similar to the first one, but it also includes a `TO_DATETIME` function to convert the `date` column to a datetime type.

**Example 3:**

```esql
ROW a = "John Doe - john.doe@example.com - 123 Main St"
| DISSECT a "%{name} - %{email} - %{address}"
| KEEP name, email, address
```

In this example, the `DISSECT` command is used to parse a string that contains a name, email address, and physical address. The command matches the string against the pattern `"%{name} - %{email} - %{address}"` and extracts the name, email, and address as separate columns.
