Dissect splits a string into its parts. A dissect implementation compares a string against a pattern and then splits the string based on the pattern rules. This specification defines the expected behavior for dissect implementations.
"%{timestamp} %{+timestamp} %{+timestamp} %{logsource} %{program}[%{pid}]: %{message}
. %{key}
. %{a} %{b},%{c}
foo bar,baz
a=foo, b=bar, c=baz
This pattern has 3 keys: a
, b
, and c
, and two delimiters ` (space) and
,` (comma). When the parser is run against the string with the given pattern, the result is a set of key/value pairs. The parser searches for the when the delimiter in the pattern matches the delimiter in the string.
In this example, search the string for ` (space), the first delimiter. Found a space in the string, so assign the a key equal to everything up until the space (but not including). So a=foo. The next delimiter is
,` (comma) search for comma in the string, found it, so assign b=bar. No more delimiters, so assign c to the remainder of the string (baz).
%
as delimiters%{
and end with }
%{key_name}
and it must be able to be encoded as UTF-8.%{}
, this is called a skip key and must not be included in the final results.->
: Right padding ignore - instructs the parser to ignore repeating consecutive repeating delimiters to the right of the key. The ->
modifier must be placed to the right of the key name and is allowed to co-exist with any other modifiers and must always be the furthest right modifier. see example below+
Append - instructs the parser to append this key's value to the value to the prior key (left to right) with the same name. A user defined append separator must be supported. The user defined separator is a character, or set of characters that will be placed between the appended values. The +
modifier must be placed to the left of the key name. see example below+
and /n
Append with order - instructs the parser to append this key's to the value of the prior key with the same name based on order. The +
modifier must be placed on the left of the key name and /n
modifier placed to the right of the key name, where n = order. The order must start at 1
. see example below?
- Named skip key instructs the parser to not include this result in the final result set. Behaves identical to an empty skip key %{}
but may be used to help with human readability. The ?
modifier must be placed to the left of the key name. see example below *
and &
reference modifiers. This modifier requires two keys with the same name present in the dissect pattern. One key with the *
and another with the &
. This instructs the parser that the value discovered by the *
is to be used as the key name for the value discovered by the corresponding &
key. These modifiers must be placed on the left of the key name. see example below%{}
(skip key) as valid match, but not include the result in the result set. ->
%{a->} %{b} %{c}
foo bar baz
a=foo, b=bar, c=baz
In the above example, the delimiter is ` (space), the
->instructs the parser to skip all of the consecutive repeating
to the right of
a`
%{a->},%{b},%{c}
foo,,,,bar,baz
a=foo, b=bar, c=baz
In the above example, the delimiter is ,
(comma) and the ->
instructs the parser to skip all of the consecutive repeating ,
to the right of a
Multi-character delimiters must be supported.
%{a->},:%{b},%{c}
foo,:,:,:,:bar,baz
a=foo, b=bar, c=baz
Empty skip key with right padding must be supported.
%{->},%{b},%{c}
foo,,,,bar,baz
b=bar, c=baz
+
%{a} %{+a} %{+a}
foo bar baz
a=foobarbaz
In the above example the, the values are append in left to right order to the result.
A user specified append separator must be supported. Assume the user define the separator to be ,
(comma space)
%{a} %{+a} %{+a}
foo bar baz
a=foo, bar, baz
+
with /n
%{a} %{+a/2} %{+a/1}
foo bar baz
a=foobazbar
In the above example the values are appended together based on the order specified.
?
%{a} %{?skipme} %{c}
foo bar baz
a=foo, c=baz
In the above example, the parser finds the matches correctly, but excludes the middle key from the results. This is the same behavior as %{}
, and the name is only used for human readability.
*
and &
%{*a} %{b} %{&a}
foo bar baz
foo=baz, b=bar
In the above example, there is a pair of a
keys. One has the *
and the other &
. This instructs the parser to use the value of the *
as the key name for the value of &
in the result set. *
and &
must come in pairs in the dissect pattern.
The left / right order of *
and &
does not matter.
%{&a} %{b} %{*a}
foo bar baz
baz=foo, b=bar
%{a} %{b},%{c}
foo bar,baz something more here
a=foo, b=bar, c=baz something more here
In the above example the last key matched the remainder of the input string.
%{a},%{b},%{c},%{d},%{e},%{f},%{g}
foo,,,,,,bar
a=foo, b="", c ="", d="", e="", f="", g=bar
In the above example the ,
repeats many times, leaving 5 empty key/value pairs.
%{a},%{b},%{c},%{d},%{e},%{f},%{g}
foo,,bar,,,,baz
a=foo, b="", c ="bar", d="", e="", f="", g=baz
In the above example the ,
repeats many times, finds a value, then repeats more.
%{a->},%{g}
foo,,,,,,bar
a=foo, g=bar
In the above example the ,
repeats many times, but the right padding modifier ->
instructs the parser to skip over the repeating delimiters.
%{timestamp} %{+timestamp} %{+timestamp} %{logsource} %{program}[%{pid}]: %{message}
Mar 16 00:01:25 example postfix/smtpd[1713]: connect from example.com[192.100.1.3]
timestamp="Mar 16 00:01:25" , logsource="example", program="postix/smtpd" pid="1713" message="connect from example.com[192.100.1.3]"