How-To: Reformat a JSON Array using parseJson()

By default, the parseJson() function will turn an array into separate fields. Let's say you have this:

{
  "HostnameField":"SE-CPE-RDP",
  "Commands": [
    "runscript -Raw=```Get-ChildItem .\n```",
    "pwd",
    "update list",
    "update history"
  ],
  "UTCTimestamp":1694553805000
}

You'd end up with the following fields:

Commands[0]
Commands[1]
Commands[2]
Commands[3]

Let's say you want to recombine those into a single field, with each value separated by a \n. Meet the concatArray() function:

// Quick filter that we know will bring back an array. 
#streamingApiEvent=Event_RemoteResponseSessionEndEvent

// Recombine the "Commands[]" values as "commandsArray" and separate them all by a new line character. 
| concatArray(Commands, as=commandsArray, separator="\n")

// Display the results. 
| select([@timestamp, HostnameField, commandsArray])

Figure 14. Example output:

Knowledge Base

How-To: Reformat a JSON Array using parseJson()

Enter search term