Writes data as a JSON object, and includes field values optionally. The specified fields will be formatted as JSON and assigned to the field specified in as, defaults to _json.

ParameterTypeRequiredDefaultDescription
asstringoptional[a]_json Name of output field.
field[b]Array of stringsoptional[a]@rawstring Values and fields that should be converted to JSON. Accepts either a value or array of values. Values are interpreted as prefix matches, unless a globbing pattern with * is given (see example below.)

[a] Optional parameters use their default value unless explicitly set

[b] The argument name field can be omitted.

Omitted Argument Names

The argument name for field can be omitted; the following forms of this function are equivalent:

logscale
writeJson("field")

and:

logscale
writeJson(field="field")

These examples show basic structure only; full examples are provided below.

writeJson() Examples

  • Multiple fields can be included. Given events where:

    json
    a.b.c=5,
a.b.e[0]=6,
a.d=7,
a.f.g=8

    use the query function to call:

    logscale
    writeJson(["a.b.c", "a.b.e[0]", "a.d", "a.f.g"])

    It will write the following JSON to each event, respectively:

    json
    {"a":{"b":{"c":5}}},
{"a":{"b":{"e":[6]}}},
{"a":{"d":7}},
{"a":{"f":{"g":8}}}

  • Arguments passed to the field parameter are interpreted as prefix matches. For example, the query:

    logscale
    writeJson(field=["a.b"])

    matches:

    json
    a.b.c
 a.bc
 a.b[0]
 a.b!
…

  • Array-glob patterns can be passed to the field parameter. For example, the query:

    logscale
    writeJson(field=["a.b[*]"])

    matches all fields in the event and it also matches anything else that starts with a:

    json
    a.b[0]
 a.b[0]c
 a.b[0].c
 a.b[0][0]
 a.b[0]!
 ...
 a.b[1]c
 a.b[1].c
 a.b[1][0]
 a.b[1]!
…