## GROK

The `GROK` command in ES|QL enables you to extract structured data out of a string. It matches the string against patterns, based on regular expressions, and extracts the specified patterns as columns. This can be particularly useful when you need to parse a string that contains multiple pieces of information, such as a timestamp, an IP address, an email address, and a number.

### Limitations

By default, `GROK` outputs keyword string columns. Integer (`int`) and float types can be converted by appending `:type` to the semantics in the pattern. For other type conversions, you need to use Type conversion functions.

### Examples

Here are some examples of how you can use the `GROK` command in ES|QL:

**Example 1: Parsing a string with multiple pieces of information**

```esql
ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42"
| GROK a "%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num}"
| KEEP date, ip, email, num
```

In this example, the `GROK` command is used to parse a string that contains a timestamp, an IP address, an email address, and a number. The `KEEP` command is then used to keep only the extracted date, IP, email, and number columns.

**Example 2: Converting types with GROK**

```esql
ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42"
| GROK a "%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num:int}"
| KEEP date, ip, email, num
```

In this example, the `GROK` command is used similarly to the first example, but with an additional `:int` appended to the `NUMBER` semantic in the pattern. This converts the extracted number to an integer type.

**Example 3: Using type conversion functions with GROK**

```esql
ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42"
| GROK a "%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num:int}"
| KEEP date, ip, email, num
| EVAL date = TO_DATETIME(date)
```

In this example, the `GROK` command is used to parse a string and convert the extracted number to an integer type. Then, the `EVAL` command is used with the `TO_DATETIME` function to convert the extracted date string to a datetime type.