parse

import { Aside } from ‘@astrojs/starlight/components’;

The parse command extracts new fields from a text field using a Java regular expression with named capture groups. Each named group in the pattern creates a new string field appended to the search results. The original field is preserved.

**Stable** since OpenSearch 2.4.

Syntax

parse <field> <regex-pattern>

Arguments

Argument	Required	Description
<field>	Yes	The text field to parse.
<regex-pattern>	Yes	A Java regular expression containing one or more named capture groups using (?<name>pattern) syntax. Each named group creates a new string field. If a field with the same name already exists, its values are overwritten.

Usage notes

• Named capture groups in the regex pattern become new fields. For example, (?<host>.+) creates a field called host.
• The pattern must match the entire string from start to end. Use [\s\S]+ at the end of the pattern to consume any remaining content including trailing newlines.
• If a named group matches a field that already exists, the existing field is overwritten with the extracted value.
• Parsed fields are available for use in all subsequent pipe commands (where, stats, sort, eval, etc.).
• The pattern uses Java regular expression syntax.
• When parsing a null field, the result is an empty string.
• Fields created by parse cannot be re-parsed by another parse command.
• The source field used by parse cannot be overridden by eval and still produce correct results.

Common regex patterns:

Pattern	Matches
(?<ip>\d+\.\d+\.\d+\.\d+)	IPv4 addresses
(?<status>\d{3})	HTTP status codes
(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})	ISO timestamps
(?<method>GET|POST|PUT|DELETE)	HTTP methods
(?<path>/[^\s]+)	URL paths
[\s\S]+	Match remaining text (including newlines)

Basic examples

Extract HTTP method, path, and status from Envoy access logs

Parse the Envoy access log format emitted by the frontend-proxy service. The pattern must match the full body string:

source=logs-otel-v1*
| where like(body, '%HTTP/1.1"%')
| parse body '\[(?<ts>[^\]]+)\] "(?<method>\w+) (?<path>\S+) HTTP/(?<ver>[^"]+)" (?<status>\d+)[\s\S]+'
| head 20

body	ts	method	path	status
[2026-02-26T18:04:21.634Z] “GET /api/data HTTP/1.1” 200 …	2026-02-26T18:04:21.634Z	GET	/api/data	200
[2026-02-26T18:04:23.059Z] “POST /api/product-ask-ai-assistant/0PUK6V6EV0 HTTP/1.1” 200 …	2026-02-26T18:04:23.059Z	POST	/api/product-ask-ai-assistant/0PUK6V6EV0	200
[2026-02-26T18:04:21.629Z] “GET /api/data/ HTTP/1.1” 308 …	2026-02-26T18:04:21.629Z	GET	/api/data/	308

Try in playground →

Filter Envoy logs by status code

Parse the status code from Envoy access logs and filter for non-2xx responses:

source=logs-otel-v1*
| where `resource.attributes.service.name` = 'frontend-proxy'
| parse body '\[(?<ts>[^\]]+)\] "(?<method>\w+) (?<path>\S+) HTTP/(?<ver>[^"]+)" (?<status>\d+)[\s\S]+'
| where cast(status as int) >= 300
| sort status
| head 20

method	path	status
GET	/api/data/	308
GET	/api/data/	308
GET	/api/data/	308

Try in playground →

Override an existing field

Replace the body field with just the user action by using the same field name in the capture group. This works on load-generator log bodies that start with “User”:

source=logs-otel-v1*
| where like(body, 'User %')
| parse body 'User (?<body>.+)'
| head 20

body
viewing cart
getting recommendations for product: 0PUK6V6EV0
getting ads for category: None
accessing index page

Try in playground →

Aggregate request counts by endpoint

Parse the Envoy access log format and count requests per method and path:

source=logs-otel-v1*
| where like(body, '%HTTP/1.1"%')
| parse body '\[(?<ts>[^\]]+)\] "(?<method>\w+) (?<path>\S+) HTTP/(?<ver>[^"]+)" (?<status>\d+)[\s\S]+'
| stats count() as cnt by method, path
| sort - cnt

Try in playground →

Extended examples

Extract partition names from Kafka broker logs

Parse the Kafka broker log body format to extract the broker ID and partition name:

source=logs-otel-v1*
| where `resource.attributes.service.name` = 'kafka'
| where like(body, '%Broker%Creating%')
| parse body '\[Broker id=(?<brokerId>\d+)\] Creating new partition (?<partition>\S+) [\s\S]+'
| head 20

This extracts the broker ID and partition name from Kafka log bodies that follow the [Broker id=N] Creating new partition ... pattern.

Try in playground →

Extract product IDs from recommendation logs

Parse recommendation log bodies to extract product IDs and count how often each product is recommended:

source=logs-otel-v1*
| where like(body, '%product:%')
| parse body '(?<action>.+)product: (?<productId>.+)'
| stats count() as cnt by productId
| sort - cnt

Try in playground →

Fields created by `parse` cannot be re-parsed by another `parse` command in the same query. Each `parse` must operate on an original source field.

Limitations

• Fields created by parse cannot be parsed again by a subsequent parse command.
• Fields created by parse cannot be overridden by eval.
• The source text field used by parse cannot be overridden and still produce correct results.
• The pattern must match the entire string. Use [\s\S]+ at the end to consume remaining content including trailing newlines.
• Parsed fields cannot be filtered or sorted after they are used in a stats command.

See also

• grok — extract fields using predefined grok patterns instead of raw regex
• rex — more powerful regex extraction with sed mode and multiple matches
• patterns — automatically discover log patterns without writing regex
• PPL Functions Reference — regexp_match and other string functions for regex filtering