parsejson

Parses a JSON string in a text field and extracts key-value pairs as fields.

Command properties

ItemDescription
Command typeProcessing query
Required permissionNone
License usageN/A
Parallel executionSupported
Distributed executionNot supported

Syntax

parsejson [field=FIELD] [overlay={t|f}] [flatten={t|f}] [cutoff=N] [lenient={t|f}]

Options

field=FIELD
Name of the field to parse (default: line)
overlay={t|f}
When set to t, preserves the original record's fields and overlays the parsed fields onto them. When omitted, outputs only the parsed fields. (default: f)
flatten={t|f}
When set to t, flattens nested JSON objects. Nested keys are joined with an underscore (_). Array elements are joined with their index number. When flatten=t, the default value of cutoff changes to 5000. (default: f)
cutoff=N
Maximum number of characters to parse. When 0, parses the entire string without limit. When flatten=t, the default changes to 5000. (default: 0)
lenient={t|f}
When set to t, recovers and parses incomplete JSON truncated by cutoff. (default: f)

Error codes

Parse errors
Error codeMessageDescription
21100The cutoff value [cutoff] must be an integer of 0 or more.The cutoff value is less than 0

Description

The parsejson command parses the JSON string in the specified field and extracts key-value pairs as fields.

Using the flatten option flattens nested JSON objects. For example, {"a":{"b":1}} results in the field a_b with a value of 1. Arrays are flattened using index numbers. For example, {"x":["a","b"]} creates the fields x_0 and x_1.

Using cutoff and lenient together allows you to parse only up to a specified size of a large JSON string and automatically recover the truncated portion.

Examples

  1. Parsing a JSON string

    json "{'line': '{\"src_ip\": \"192.0.2.1\", \"dst_port\": 80}'}" | parsejson

    Parses the JSON string in the line field and creates the src_ip and dst_port fields.

  2. Flattening nested JSON

    json "{'line': '{\"parent\":{\"child\":1, \"sibling\":2}}'}" | parsejson flatten=t

    Creates the parent_child and parent_sibling fields.

  3. Flattening an array

    json "{'line': '{\"items\":[\"a\",\"b\",\"c\"]}'}" | parsejson flatten=t

    Creates the items_0, items_1, and items_2 fields.

  4. Parsing only part of a large JSON string

    json "{'line': '{\"company\":\"Logpresso\"}'}" | parsejson cutoff=12 lenient=t

    Parses the JSON string up to 12 characters and recovers the truncated portion for parsing.