How-To: Reformat a JSON Array using parseJson()

By default, the parseJson() function will turn an array into separate fields. Let's say you have this:

json

{
  "HostnameField":"SE-CPE-RDP",
  "Commands": [
    "runscript -Raw=```Get-ChildItem .\n```",
    "pwd",
    "update list",
    "update history"
  ],
  "UTCTimestamp":1694553805000
}

You'd end up with the following fields:

Raw Events

Commands[0]

Commands[1]

Commands[2]

Commands[3]

Let's say you want to recombine those into a single field, with each value separated by a \n. The concatArray() function can combine this:

logscale

// Quick filter that we know will bring back an array. 
#streamingApiEvent=Event_RemoteResponseSessionEndEvent

// Recombine the "Commands[]" values as "commandsArray" and separate them all by a new line character. 
| concatArray(Commands, as=commandsArray, separator="\n")

// Display the results. 
| select([@timestamp, HostnameField, commandsArray])

Figure 14. Example output from concatArray()

Knowledge Base

How-To: Reformat a JSON Array using parseJson()

Enter search term