Using JSON Paths

Question

I'm attempting to extract values from a JSON string field. However, it seems, that none of the below methods are working for referencing or obtaining the value using a JSON path or dot notation type of approach. I've even tried the "extract_json" function, but to no avail.

KQL in Azure has the bag_unpack function, but I noticed this is not supported in Cribl Search.

Below are my queries and results.

| extend json=parse_json(_raw)

| extend test1=_raw._raw.kubernetes.container_name

| extend test2=json._raw.kubernetes.container_name

| extend test3=json['_raw']['kubernetes']['container_name']

| extend test4=extract_json("$._raw.kubernetes.container_name", json, typeof(string))

| limit 10

benjamin.rader · Answer

Alright I've got two workarounds for this.
1. If using default Cribl Search "datatype" (dataset settings), then use the below query structure as a workaround to parse through nested json

dataset="OpenlaneCriblS3"

| extend json=parse_json(_raw)

| extend json=parse_json(json._raw)

| extend container_name=json.kubernetes.container_name, namespace_name=json.kubernetes.namespace_name, app_name=json.kubernetes.labels["app_kubernetes_io/name"], pod_name=json.kubernetes.pod_name, level=json.level

2. Change the datatype to Cribl Search _raw Data then use the below type of query to pull out values from objects

dataset="OpenlaneCriblS3"

| extend json=parse_json(_raw)

| extend container_name=json.kubernetes.container_name, namespace_name=json.kubernetes.namespace_name, app_name=json.kubernetes.labels["app_kubernetes_io/name"], pod_name=json.kubernetes.pod_name, level=json.level

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded