How to use the Logstash dissect filter

Parsing delimiter-stable logs into structured fields improves search, dashboards, and alerting in the Elastic Stack while keeping ingestion overhead low.

The dissect filter tokenizes a source field (commonly message) using a fixed pattern made of literal delimiters and %{field} placeholders. Unlike grok, parsing is non-regex and position-based, so it performs best when the log format is consistent across all events.

Delimiter drift (extra spaces, missing segments, reordered fields) can cause parsing failures and add the _dissectfailure tag (configurable via tag_on_failure). Track this tag during rollout to catch format changes early and prevent silent indexing of unparsed messages.

Steps to use the Logstash dissect filter:

Create a pipeline configuration file at /etc/logstash/conf.d/50-dissect.conf.

input {
  file {
    path => "/var/lib/logstash/examples/dissect.log"
    start_position => "beginning"
    sincedb_path => "/var/lib/logstash/sincedb-dissect"
  }
}

filter {
  if [log][file][path] == "/var/lib/logstash/examples/dissect.log" {
    dissect {
      id => "dissect_app_log"
      mapping => { "message" => "%{ts} %{level} %{component} %{msg}" }
      tag_on_failure => [ "_dissectfailure" ]
    }
  }
}

output {
  if [log][file][path] == "/var/lib/logstash/examples/dissect.log" {
    elasticsearch {
      hosts => ["http://elasticsearch.example.net:9200"]
      index => "app-dissect-%{+YYYY.MM.dd}"
    }
  }
}

The final placeholder msg captures the remainder of message (including spaces) because no trailing delimiter follows it.

Test the pipeline configuration before applying it to the running service.

$ sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash --path.data /tmp/logstash-configtest --config.test_and_exit
Configuration OK

Restart the Logstash service to load the updated pipeline.
```
$ sudo systemctl restart logstash
```
Related: How to manage the Logstash service with systemctl in Linux

Confirm the Logstash service is active after the restart.

$ sudo systemctl status logstash --no-pager
● logstash.service - logstash
     Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
     Active: active (running) since Wed 2026-01-07 22:07:58 UTC; 3s ago
   Main PID: 35154 (java)
      Tasks: 31 (limit: 28486)
     Memory: 421.4M (peak: 421.4M)
        CPU: 13.967s
##### snipped #####

Check the node pipeline statistics endpoint for event flow and filter activity.

$ curl -s http://localhost:9600/_node/stats/pipelines?pretty
{
  "pipelines" : {
    "main" : {
      "plugins" : {
        "filters" : [ {
          "id" : "dissect_app_log",
          "events" : {
            "in" : 1,
            "out" : 1
          }
        } ]
      }
    }
  }
}

Events tagged with _dissectfailure indicate lines that did not match the pattern and should be reviewed for delimiter or format changes.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.