# DISSECT

The DISSECT command is used to extract structured data from a string. It matches the string against a delimiter-based pattern and extracts the specified keys as columns.

### Use Cases
- **Log Parsing**: Extracting timestamps, log levels, and messages from log entries.
- **Data Transformation**: Converting unstructured text data into structured columns for further analysis.
- **Data Cleaning**: Removing or reformatting specific parts of a string to make the data more usable.

## Syntax

`DISSECT input "pattern" [APPEND_SEPARATOR="<separator>"]`

### Parameters

#### input

The column containing the string you want to structure. If the column has multiple values, DISSECT will process each value.

#### pattern

A dissect pattern. If a field name conflicts with an existing column, the existing column is dropped. If a field name is used more than once, only the rightmost duplicate creates a column.

#### <separator>

A string used as the separator between appended values, when using the append modifier.

## Examples

The following example parses a string that contains a timestamp, some text, and an IP address:

```esql
ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
| DISSECT a "%{date} - %{msg} - %{ip}"
| KEEP date, msg, ip
```

By default, DISSECT outputs keyword string columns. To convert to another type, use Type conversion functions:

```esql
ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
| DISSECT a "%{date} - %{msg} - %{ip}"
| KEEP date, msg, ip
| EVAL date = TO_DATETIME(date)
```

In this example, we use the `APPEND_SEPARATOR` to concatenate values with a custom separator:

```esql
ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
| DISSECT a "%{date} - %{msg} - %{ip}" APPEND_SEPARATOR=" | "
| KEEP date, msg, ip
```

### Limitations
- If a field name conflicts with an existing column, the existing column is dropped.
- If a field name is used more than once, only the rightmost duplicate creates a column.
- DISSECT does not support reference keys.
