How do I write a query to list all the keys in a json log?
If I have some log { "key1" : "value1", "key2" : "value2", "key3" : "value3" } then how do I write a query that returns key1, key2, key3 when the number and content of the keys is different between logs and I do not know the entire set of possible keys?
-
The JSON Auto function should be able to automatically parse out all the keys from your JSON message. This will create a field for each key name and its value. However, note there is a limit of 100 key fields with this operation.
Simple example:
| json auto
-
Hello Nick,
Yes, that's correct. I'm trying to check all of the parameters that have been sent to our API endpoints. For example, if we have an API endpoint that accepts a foo parameter but authorized requestors have also been sending a bar parameter (maybe one that we ignore), then I want to know about it. I want to know all of these unexpected parameters.
Does that make sense?
Thank you for the quick response.
Don
-
Hi Don,
Yes, that does make sense, thank you. I agree, I'm not sure the parse json operator is right for this.
Someone here might have a better idea, but one way you could potentially do this is through regex parse with the "multi" option. A basic example would look something like this:
*
| parse regex "(?<delimiter>\?|\&)(?<param_names>[^=]+)\=(?<param_values>[^&]+)" multi
| count by param_namesDoes this help?
Thanks,
Nick
Sumo Logic - Customer Success -
Oops...
I got too caught up in the whole API endpoint thing, I forgot this was in JSON.
I found this pattern on Stack Overflow and it works, at least with a simple example:
*
| parse regex "(?<key>[^"]+?)"\s*:" multi
| count by param_namesLet me know if that gives you a better start.
Thanks,
Nick
Sumo Logic - Customer Success -
I have followup question related to this and would really appreciate your help: https://support.sumologic.com/hc/en-us/community/posts/360033738173-Stacked-column-chart-for-average-values-of-arbitrary-keysAverage-timeslice
-
Yes, Thank you! I am trying to do the exact same thing Donald is doing, except I also have nested parameters within the key: If I have some log { "key1" : "value1", "key2" : "value2", "key3" : {"nestedKey1" : "value3", "nestedKey2" : value4}} then how do I write a query that returns key1, key2, key3. The thing is, each log has a different amount of parameters and nested parameters.
I need this for the same reason Donald did, "I'm trying to check all of the parameters that have been sent to our API endpoints. For example, if we have an API endpoint that accepts a foo parameter but authorized requestors have also been sending a bar parameter (maybe one that we ignore), then I want to know about it. I want to know all of these unexpected parameters."
Please sign in to leave a comment.
Comments
15 comments