Displaying subset of JSON log as one of the fields

Comments

2 comments

  • Avatar
    Kevin Keech

    Hi Jacob,

    If you remove the "Auto" from the JSON parsing and just specify the fields you want parsed you should get the custom_data JSON into your field. 

     

    | json "custom_data", "message"

     

    The "Auto" option tells the JSON operator to automatically parse ALL the key/values from the message I believe in this case it parses the "custom_data.order_id" and "custom_data.time_taken" and "custom_data" alone is no longer a key field so comes up empty.  If you are going to drop the other auto parsed fields anyway then the above should work. 

     

     

    0
    Comment actions Permalink
  • Avatar
    Jacob Wang

    Thanks Kevin that worked!

    Another related question: Let's say I want to use "json auto" and show a deeply nested field, how do you do it?

    I tried

    ```

    | json auto | fields "custom_data.order_id"

    ```

    but the expression parser doesn't like the ".". The docs https://help.sumologic.com/05Search/Search-Query-Language/01-Parse-Operators/03-Parse-JSON-Formatted-Logs#additional-options seems to indicate that you can do it.

    If the docs could be improved covering these (I think) common use cases then that'll be great! Thanks

    0
    Comment actions Permalink

Please sign in to leave a comment.