How do I write a query to list all the keys in a json log?

Comments

11 comments

  • Avatar
    Kevin Keech

    The  JSON Auto function should be able to automatically parse out all the keys from your JSON message. This will create a field for each key name and its value. However, note there is a limit of 100 key fields with this operation. 

    Simple example:

    | json auto
  • Avatar
    Donald McKinnon

    Thanks, but I'm not sure how to get from that json value to just the list of keys. I'm really looking for something like

    | json auto listkeys

    Does that make sense?

  • Avatar
    Nick Wilson

    Hi Donald,

    So you're looking to return literally a field that says:

    key1, key2, key3...

    Is that correct?

    I'm curious what it is you're trying to do with this information? That might help us give a bit more guidance here.

    Thanks!
    Nick
    Sumo Logic - Customer Success

  • Avatar
    Donald McKinnon

    Hello Nick,

    Yes, that's correct. I'm trying to check all of the parameters that have been sent to our API endpoints. For example, if we have an API endpoint that accepts a foo parameter but authorized requestors have also been sending a bar parameter (maybe one that we ignore), then I want to know about it. I want to know all of these unexpected parameters.

    Does that make sense?

    Thank you for the quick response.

    Don

  • Avatar
    Nick Wilson

    Hi Don,

    Yes, that does make sense, thank you. I agree, I'm not sure the parse json operator is right for this.

    Someone here might have a better idea, but one way you could potentially do this is through regex parse with the "multi" option. A basic example would look something like this:

    *
    | parse regex "(?<delimiter>\?|\&)(?<param_names>[^=]+)\=(?<param_values>[^&]+)" multi
    | count by param_names

    Does this help?

    Thanks,
    Nick
    Sumo Logic - Customer Success

  • Avatar
    Donald McKinnon

    Hey Nick,

    Yes this helps. I suspected this was heading towards a fun regex. I can go with this approach, but if you or someone else comes up with a nifty way to do this without a regex, then that'd be ideal. If not, then no worries!

    Thanks again Nick and Kevin,

    Don

  • Avatar
    Nick Wilson

    No prob Don! Glad it helped.

  • Avatar
    Donald McKinnon

    Hey, sorry – I'm back. I spoke too soon. That regex actually doesn't work for me. It doesn't actually return anything for me. Does it return the list of keys when run on valid json logs for you?

  • Avatar
    Nick Wilson

    Oops...

    I got too caught up in the whole API endpoint thing, I forgot this was in JSON.

    I found this pattern on Stack Overflow and it works, at least with a simple example:

    *
    | parse regex "(?<key>[^"]+?)"\s*:" multi
    | count by param_names

    Let me know if that gives you a better start.

    Thanks,
    Nick
    Sumo Logic - Customer Success

  • Avatar
    Donald McKinnon

    No worries! I reached the same post.

     

    Thanks,

    Don

  • Avatar
    Nick Wilson

    And yet it was down-voted :-/ Anyway no problem Don, glad to help.

Please sign in to leave a comment.