docs/reference/query-languages/esql/_snippets/commands/layout/grok.md
serverless: ga
stack: ga
GROK enables you to extract structured data out of a string.
GROK input "pattern"
input
: The column that contains the string you want to structure. If the column has
multiple values, GROK will process each value.
pattern
: A grok pattern. If a field name conflicts with an existing column, the existing column is discarded.
If a field name is used more than once, a multi-valued column will be created with one value
per each occurrence of the field name.
GROK enables you to extract structured data out of a string.
GROK matches the string against patterns, based on regular expressions,
and extracts the specified patterns as columns.
Refer to Process data with GROK for the syntax of grok patterns.
The following examples show how to parse, type-convert, and handle multivalued output with GROK.
Parse a string that contains a timestamp, an IP address, an email address, and a number:
:::{include} ../examples/docs.csv-spec/basicGrok.md :::
By default, GROK outputs keyword string columns. int and float types can
be converted by appending :type to the semantics in the pattern. For example
{NUMBER:num:int}:
:::{include} ../examples/docs.csv-spec/grokWithConversionSuffix.md :::
For other type conversions, use Type conversion functions:
:::{include} ../examples/docs.csv-spec/grokWithToDatetime.md :::
If a field name is used more than once, GROK creates a multi-valued column:
:::{include} ../examples/docs.csv-spec/grokWithDuplicateFieldNames.md :::