jsonextract

Use the jsonextract command to obtain excerpts of an existing field using a Json Path from JSON format data. The command captures the resulting excerpt into a virtual field.

Note

The jsonextract command cannot operate on the Original Log Content field. Default field, if not specified, is Message. The extracted field has a string, number or a list data type.

To be able to use the jsonextract command on the value of Original Log Content field, first copy the Original Log Content field into a string field, and then run jsonextract on the new string field.

Syntax

jsonextract field = <field_to_parse> <new_field_name> = <jsonPath>

Parameters

The following table lists the parameters used in this command, along with their descriptions.

Parameter Description

field_to_parse

Specify the existing field that must be parsed using the Json Path.

new_field_name

Specify the virtual field into which the excerpt of the existing field must be captured.

jsonPath

Specify the Json Path where the information for the virtual field can be obtained.

Json Path expressions refer to a JSON structure. The root member object in Json Path is referred to as $ regardless if it is an object or array.

Json Path expressions can use the dot–notation as in $.store.book[0].title or the bracket–notation as in $['store']['book'][0]['title']. For more information on Json Path, see JsonPath Expressions.

The following example uses the jsonextract command to find the title of the first book in the Json:

* | jsonextract field = Store title = '$.store.book[0].title'