We have updated our Terms of Service, Code of Conduct, and Addendum.

Using JSON Paths

Options
benjamin.rader
benjamin.rader Posts: 5
in Search

I'm attempting to extract values from a JSON string field. However, it seems, that none of the below methods are working for referencing or obtaining the value using a JSON path or dot notation type of approach. I've even tried the "extract_json" function, but to no avail.


KQL in Azure has the bag_unpack function, but I noticed this is not supported in Cribl Search.

Below are my queries and results.

| extend json=parse_json(_raw)

| extend test1=_raw._raw.kubernetes.container_name

| extend test2=json._raw.kubernetes.container_name

| extend test3=json['_raw']['kubernetes']['container_name']

| extend test4=extract_json("$._raw.kubernetes.container_name", json, typeof(string))

| limit 10

image.png
image.png

Tagged:

Answers

  • benjamin.rader
    benjamin.rader Posts: 5
    edited November 2023
    Options

    Alright I've got two workarounds for this.
    1. If using default Cribl Search "datatype" (dataset settings), then use the below query structure as a workaround to parse through nested json

    dataset="OpenlaneCriblS3" 

    | extend json=parse_json(_raw)

    | extend json=parse_json(json._raw)

    | extend container_name=json.kubernetes.container_name, namespace_name=json.kubernetes.namespace_name, app_name=json.kubernetes.labels["app_kubernetes_io/name"], pod_name=json.kubernetes.pod_name, level=json.level

    2. Change the datatype to Cribl Search _raw Data then use the below type of query to pull out values from objects

    
dataset="OpenlaneCriblS3" 
    | extend json=parse_json(_raw)
    | extend container_name=json.kubernetes.container_name, namespace_name=json.kubernetes.namespace_name, app_name=json.kubernetes.labels["app_kubernetes_io/name"], pod_name=json.kubernetes.pod_name, level=json.level
     
     
    

     
     
    

    

    

    • 

  • 

    

    
benjamin.rader 
     
    

benjamin.rader 

Posts: 5  

    

    

 

    

     
    
Options
       
     
    

    

    

    

    

    I found the solution awhile back for this.

    
It's simple. Sometimes you will have a JSON string nested inside of a JSON string, so you either need to change the "Datatypes" for that "Dataset" to "Cribl Search raw Data" or keep doing "parse_json" till you have parsed out your nested JSON.

    
If you're using the Cribl Search datatype and have _raw nested inside of _raw, then do the below syntax until you get what you want

    
| extend json=parse_json(_raw)
    | extend json=parse_json(json._raw)

    However, it's probably best that you change your datatype to "Cribl Search raw Data" to avoid at least having to do this an extra time so you only need the one | extend json=parse_json(_raw)
    

    

image.png

    

    

     
     
    

     
     
    

    

    

    • 



 








 
 


Categories