Cortex XDR XQL json_extract() function accepts a string representing a JSON object, and returns a field value from that object.
Synopsis
json_extract(<
json_object_formatted_string
>, <
field_path
>)
Description
The
json_extract()
function accepts a string representing a JSON object,
and it retrieves the value from the identified field. The returned datatype is always a string.
If the input string does not represent a
JSON object, this function fails to parse. To convert a string field to a JSON object, use
the to_json_string
function.
The
field_path
argument identifies the JSON object you want to extract
using dot-notation, where the beginning of the object is represent by
$
.
For example, if you have the following object:
{
"a_field" : "This is a_field value",
"b_field" : {
"c_field" : "This is c_field value"
}
}
Then the path:
$.a_field
returns
"This is a_field value"
, while the path:
$.b_field.c_field
returns
"This is c_field value"
.
JSON field names are case sensitive.
The field value is always returned as a string. To return the literal value with the appropriate data type, use
json_extract_scalar.
Examples
Return the
storage_device_name
value
from the
action_file_device_info
field.
dataset = xdr_data
| fields action_file_device_info as afdi
| alter sdn = json_extract(to_json_string(afdi),
"$.storage_device_name")
| filter afdi != null
