extractjson

The extractjson command is similar to the extract command, but it instead parses the contents of all specifed files as JSON and adds each identiified key-value pair as a new field on the event.

Syntax

The extractjson command accepts a list of field names to attempt to extract JSON from. If any of these fields are present, they will be parsed as JSON and each key-value pair in the resulting object will be added as a new field on the event. The new fields will be prefixed with the name of the original field that was extracted, followed by a _ character.

| extractjson <field> [<field> ...]

Example

For an example event where the field foo is a JSON string with the following value:

{"bar": "baz"}

This command would add a new field called foo_bar to the event, with the value of "baz":

| extractjson foo

Crystalline

extractjson

Syntax

Example