Use the jsonextract command to obtain excerpts of an existing field using a Json Path from JSON format data. The command captures the resulting excerpt into a virtual field.


The jsonextract command cannot operate on the Original Log Content field. Default field, if not specified, is Message. The extracted field has a string, number or a list data type.

To be able to use the jsonextract command on the value of Original Log Content field, first copy the Original Log Content field into a string field, and then run jsonextract on the new string field.


jsonextract field = <field_to_parse> <new_field_name> = <jsonPath>


The following table lists the parameters used in this command, along with their descriptions.

Parameter Description


Specify the existing field that must be parsed using the Json Path.


Specify the virtual field into which the excerpt of the existing field must be captured.


Specify the Json Path where the information for the virtual field can be obtained.

Json Path expressions refer to a JSON structure. The root member object in Json Path is referred to as $ regardless if it is an object or array.

Json Path expressions can use the dot–notation as in $.store.book[0].title or the bracket–notation as in $['store']['book'][0]['title']. For more information on Json Path, see JsonPath Expressions.

The following example uses the jsonextract command to find the title of the first book in the Json:

* | jsonextract field = Store title = '$.store.book[0].title'