Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

extractjson

The extractjson command is similar to the extract command, but it instead parses the contents of all specifed files as JSON and adds each identiified key-value pair as a new field on the event.

Syntax

The extractjson command accepts a list of field names to attempt to extract JSON from. If any of these fields are present, they will be parsed as JSON and each key-value pair in the resulting object will be added as a new field on the event. The new fields will be prefixed with the name of the original field that was extracted, followed by a _ character.

| extractjson <field> [<field> ...]

Example

For an example event where the field foo is a JSON string with the following value:

{"bar": "baz"}

This command would add a new field called foo_bar to the event, with the value of "baz":

| extractjson foo