Our engineering team is developing a new feature that would allow us to automatically parse JSON logs. As part of this, it requires us to update our existing JSONPath library and this will change the usage of the "@" symbol. Queries that are using the JSON operator extracting fields with the "@" symbol, will need to be updated so we can move forward with this new auto parsing JSON feature.
Example of what needs to change
What the affected JSON parsing queries look like now:
| json "@field_name" as field_name
What we need your help to change them to:
| json "['@field_name']" as field_name
The red above indicates the specific change of inserting an open bracket/single quote accompanied by the matching closing quote/bracket for each extracted field.
Example JSON parse like what you might have today
| json field=jsonObject "@source","@source_host","@fields.logger","@message"
What the above needs to change to:
| json field=jsonObject "['@source']","['@source_host']","['@fields'].logger","['@message']" as Source,SourceHost,SOR,Message
NOTE: For nested keys that use the dotted notation, you only need to apply the changes to the root key. See fields.logger as an example of how this should look.
Your assistance in getting these changes made to any applicable queries as soon as possible is greatly appreciated and will help us move forward with development of the automatic parsing of JSON capability. If these updates are not made, in the future your JSON parse queries with the "@" character will no longer work.