Parse JSON Content With Specific Parameters

Parse JSON content with specific parameters while excluding the actual query content using the parseJson()

Query

logscale
#type=audit-log
| /"type":"alert.update"/
| parseJson(exclude="query", include="queryStart")

Introduction

The parseJson() function can be used to parse data or a field as JSON, converting the data into named fields and arrays within the event. It is possible to perform both path-based exclusion and array-based exclusion using the exclude parameter (all non-nested fields are also excluded), but at the same time include some of the extracted fields using the include parameter.

Prefixes can also be defined - or removed - for a field name using the parameters prefix or removePrefixes. For more information, see parseJson() Syntax Examples.

In this example, the parseJson() function is used to search audit logs for alert update events, specifically looking at the queryStart field (timestamp), while excluding the actual query content (query.xxx).

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0["Expression"] 1[/Filter/] 2[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> 2 2 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    #type=audit-log

    Filters for all events from repository audit-log.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0["Expression"] 1[/Filter/] 2[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | /"type":"alert.update"/

    Filters for events (audit logs) where the @rawstring field contains the string /"type":"alert.update"/.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0["Expression"] 1[/Filter/] 2[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | parseJson(exclude="query", include="queryStart")

    With specific parameters set, parses the JSON content excluding the query field and including only the queryStart field.

    The exclusion works as a wildcard match for the given field; for example, the value query will match both nested fields (like query.string) and similarly non-nested named fields (like queryString, queryStart, and queryEnd). In this example, to retain the specific non-nested field queryStart while excluding the others, the include parameter is used.

  5. Event Result set.

Summary and Results

The query is used to search audit logs for alert update events, specifically looking at the non-nested queryStart field, while excluding the actual query content (query.xxx). The query is useful if, for example, you want to review alert activity without the overhead of full query contents, track temporal patterns in alert updates, or investigate alert timing issues further.