Writes data as a JSON object, and includes field values
optionally. The specified fields will be formatted as JSON and
assigned to the field specified in as,
defaults to _json.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
as | string | optional[a] | _json | Name of output field. |
field[b] | array of strings | optional[a] | @rawstring | Values and fields that should be converted to JSON. Accepts either a value or array of values. Values are interpreted as prefix matches, unless a globbing pattern with * is given (see following example). |
[a] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale SyntaxwriteJson(["value"])and:
logscale SyntaxwriteJson(field=["value"])These examples show basic structure only.
writeJson() Syntax Examples
Multiple fields can be included. Given events where:
jsona.b.c=5, a.b.e[0]=6, a.d=7, a.f.g=8use the query function to call:
logscalewriteJson(["a.b.c", "a.b.e[0]", "a.d", "a.f.g"])It will write the following JSON to each event, respectively:
json{"a":{"b":{"c":5}}}, {"a":{"b":{"e":[6]}}}, {"a":{"d":7}}, {"a":{"f":{"g":8}}}Arguments passed to the field parameter are interpreted as prefix matches. For example, the query:
logscalewriteJson(field=["a.b"])matches:
jsona.b.c a.bc a.b[0] a.b! …Array-glob patterns can be passed to the field parameter. For example, the query:
logscalewriteJson(field=["a.b[*]"])matches all fields in the event and it also matches anything else that starts with a:
json Syntaxa.b[0] a.b[0]c a.b[0].c a.b[0][0] a.b[0]! ... a.b[1]c a.b[1].c a.b[1][0] a.b[1]! …
writeJson()Examples
Click next to an example below to get the full details.
Convert Fields to JSON Format
Convert values and fields to JSON format using the
writeJson() function
Query
writeJson(["a.b.c", "a.b.e[0]", "a.d", "a.f.g"])Introduction
In this example, the writeJson() function is used
to create a nested JSON structure from an array of field paths. The
function handles both regular nested fields and array indexing.
Example incoming data might look like this:
| @timestamp | a.b.c | a.b.e[0] | a.d | a.f.g |
|---|---|---|---|---|
| 2023-06-15T10:30:00Z | value1 | value2 | value3 | value4 |
| 2023-06-15T10:30:01Z | test1 | test2 | test3 | test4 |
| 2023-06-15T10:30:02Z | data1 | data2 | data3 | data4 |
Step-by-Step
Starting with the source repository events.
- logscale
writeJson(["a.b.c", "a.b.e[0]", "a.d", "a.f.g"])Creates a JSON structure from the specified field paths and returns the JSON formatted results in a new field named _json.
In this example, the
writeJson()function:Takes an array of field paths as input.
Handles nested field paths using dot notation.
Supports array indexing with square bracket notation.
Maintains the hierarchical relationship between fields in the resulting JSON.
Event Result set.
Summary and Results
The query is used to transform flat field references into a structured JSON object, preserving the hierarchical relationships between fields.
This query is useful, for example, to reconstruct nested data structures from flattened fields, to prepare data for external systems that expect nested JSON or to create structured views of related fields
Sample output from the incoming example data:
| _json | a.b.c | a.b.e[0] | a.d | a.f.g |
|---|---|---|---|---|
| {"a":{"b":{"c":"value1","e":["value2"]},"d":"value3","f":{"g":"value4"}}} | value1 | value2 | value3 | value4 |
| {"a":{"b":{"c":"test1","e":["test2"]},"d":"test3","f":{"g":"test4"}}} | test1 | test2 | test3 | test4 |
| {"a":{"b":{"c":"data1","e":["data2"]},"d":"data3","f":{"g":"data4"}}} | data1 | data2 | data3 | data4 |