Skip to content

ESQL: Multiple patterns for grok command #132486

New issue
New issue
Closed
#136541
Closed
ESQL: Multiple patterns for grok command#132486
#136541
Assignees
flash1293
Labels
:Analytics/ES|QLAKA ESQL>enhancementTeam:AnalyticsMeta label for analytical engine team (ESQL/Aggs/Geo)
@flash1293

Description

@flash1293
flash1293
opened on Aug 6, 2025

Description

The ingest pipeline grok variant supports multiple patterns that are applied one after the other - as soon as one matches, evaluation is stopped.

This is useful for parsing multiple patterns in one go, ESQL should support it as well.

It could look like this:

ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42"
| GROK a """%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num}""" """%{TIMESTAMP_ISO8601:date} %{EMAILADDRESS:email} %{NUMBER:num} %{IP:ip}"""
| KEEP date, ip, email, num

In this case ,if the IP occurs after the timestamp or at the end of the message it's parsed correctly in both cases.

Metadata

Metadata

Assignees

Labels

:Analytics/ES|QLAKA ESQL>enhancementTeam:AnalyticsMeta label for analytical engine team (ESQL/Aggs/Geo)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions