Skip to main content

I'm attempting to extract values from a JSON string field. However, it seems, that none of the below methods are working for referencing or obtaining the value using a JSON path or dot notation type of approach. I've even tried the "extract_json" function, but to no avail.


KQL in Azure has the bag_unpack function, but I noticed this is not supported in Cribl Search.

Below are my queries and results.

| extend json=parse_json(_raw)

| extend test1=_raw._raw.kubernetes.container_name

| extend test2=json._raw.kubernetes.container_name

| extend test3=json['_raw']['kubernetes']['container_name']

| extend test4=extract_json("$._raw.kubernetes.container_name", json, typeof(string))

| limit 10

778_2918659321834f9e8f8368189af7a1fa.png778_47b071ff9701493692d60783ddace34f.png

Alright I've got two workarounds for this.
1. If using default Cribl Search "datatype" (dataset settings), then use the below query structure as a workaround to parse through nested json

dataset="OpenlaneCriblS3" 

| extend json=parse_json(_raw)
| extend json=parse_json(json._raw)

| extend container_name=json.kubernetes.container_name, namespace_name=json.kubernetes.namespace_name, app_name=json.kubernetes.labels["app_kubernetes_io/name"], pod_name=json.kubernetes.pod_name, level=json.level

2. Change the datatype to Cribl Search _raw Data then use the below type of query to pull out values from objects

dataset="OpenlaneCriblS3" 
| extend json=parse_json(_raw)
| extend container_name=json.kubernetes.container_name, namespace_name=json.kubernetes.namespace_name, app_name=json.kubernetes.labelss"app_kubernetes_io/name"], pod_name=json.kubernetes.pod_name, level=json.level
 

            

    
                                                    

    
I found the solution awhile back for this.

It's simple.  Sometimes you will have a JSON string nested inside of a JSON string, so you either need to change the "Datatypes" for that "Dataset" to "Cribl Search raw Data" or keep doing "parse_json" till you have parsed out your nested JSON.

If you're using the Cribl Search datatype and have _raw nested inside of _raw, then do the below syntax until you get what you want

 | extend json=parse_json(_raw)
| extend json=parse_json(json._raw)
However, it's probably best that you change your datatype to "Cribl Search raw Data" to avoid at least having to do this an extra time so you only need the one | extend json=parse_json(_raw)
778_bca85780390b4834bf8f169b8482db74.png
            

    
                                            

                

            

        
                                                                

                        

                            
  
Reply










                        

                    

                                                

        

    


            

                                      

                                                                                                
            






        

                        

    
    





    


                                        

                                                        

            
        
    






                                    
Terms & ConditionsCookie settings