json parsing

Follow

Alex Unknown

• October 27, 2020 18:05

trying to do simple json parsing that isn't working. The message has this format (bunyan):

{"timestamp":1603819227549,"log":{
"msg":"{\"status\":\"active\",,\"user_id\":\"123456\",\"organization_id\":null}}

Tried simply to use
* | json auto

and it shows me log.msg
I'd like to extract organization_id, so I tried many ways from the documentation and none worked.
2 things I tried:
| json field=organization_id "log.msg"
| json auto keys "log.msg.organization_id"

0

• 

  Jason Nguyen

  • November 03, 2020 21:11

  Hello Alex,

  For your use case, you can try to use the following options to see if it works:

  1) 

  | json auto
  | json auto field=log

  OR

  2)

  | json "log"
  | json auto field=log

  We also found the link that is similar to your case and hope this helps.

  https://stackoverflow.com/questions/63660270/is-it-possible-to-parse-nested-json-in-sumologic

  Regards,

  Jason

  0

  Comment actions Permalink

Please sign in to leave a comment.