jsonextract
Use the jsonextract command to obtain excerpts of an
existing field using a Json Path from JSON format data. The command captures the resulting
excerpt into a virtual field.
The jsonextract command cannot operate on the
Original Log Content field. Default field, if not specified, is
Message. The extracted field has a string, number or a
list data type.
jsonextract is not meant for extracting values from large amounts of
text, or process a large number of log records. Use the JSON type parser and a log
source for such use cases.
Syntax
jsonextract field = <field_to_parse> <new_field_name> = <jsonPath>Parameters
The following table lists the parameters used in this command, along with their descriptions.
| Parameter | Description |
|---|---|
|
|
Specify the existing field that must be parsed using the Json Path. |
|
|
Specify the virtual field into which the excerpt of the existing field must be captured. |
|
|
Specify the Json Path where the information for the virtual field can be obtained. Json Path expressions refer to a JSON structure. The
root member object in Json Path is referred to as
Json Path expressions can use the dot–notation as in
|
The following example uses the jsonextract command to find the title
of the first book in the Json:
* | jsonextract field = Store title = '$.store.book[0].title'The example log from which the value must be extracted:
{
"store":{
"book":[
{"category":"fiction","author":"James Patterson","title":"Fifty Fifty","price":12.99,"count":17},
{"category":"fiction","author":"Chris Bohjalian","title":"The Flight Attendant","price":14.99,"count":10},
{"category":"fiction","author":"John Grisham","title":"The Guardians","price":10.99}
],
"bicycle":{"color":"blue","price":27.25}
},
"expensive":12
}