json_extract_array

Cortex XDR XQL json_extract_array() function accepts a string representing an JSON array, and returns an XQL-native array.

Synopsis

json_extract_array(<
json_array_string
>, <
field_path
>)
To make it easier for you to write your XQL queries, you can also use the following syntactic sugar format.
<json_array_string> -> <field_path>[]

Description

The
json_extract_array()
function accepts a string representing a JSON array, and it returns an XQL-native array. To convert a string field to a JSON object, use the to_json_string function.

Examples

Extract the first IPV4 address found in the first element of the
agent_interface_map
array.
dataset = xdr_data | fields agent_interface_map as aim | alter ipv4 = json_extract_array(to_json_string(arrayindex(aim, 0)) , "$.ipv4") | filter aim != null | limit 10
Using Syntactic Sugar Format
The same example above with a syntactic sugar format.
dataset = xdr_data | fields agent_interface_map as aim | alter ipv4 = to_json_string(aim)->[0].ipv4[0] | filter aim != null | limit 10

Recommended For You