Using variables as json key parsing

Follow

Brandon Free

• July 19, 2022 21:13

Is it possible to use fields as variables in the query language? Specifically in parsing JSON in this case?

Here is an example, let's say the full key name is not always obvious and needs to be extracted to be used later based on what it contains:

_source="some source"
| parse regex "(?<found_key>\"[^\"]*key_contains_this_string\")"
| replace (found_value, "\"", "") as cleaned_up_key     <-----sanitizing the key
| json "$['some_object']['cleaned_up_key]" as my_json_object

 

This example doesn't work, because it's using the string "cleaned_up_key" instead of the value that is stored in the cleaned_up_key field. Is there any way to use a variable in this way?

Or alternatively, a wildcard like follows? (I've confirmed this doesn't work, the wildcard seems to be all or nothing.)

| json "$['some_object'][*key_contains_this_string]" as my_json_object

0

• 

  Eli Jang

  • September 20, 2022 02:53

  Why don't you use Concat operator?
  https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/concat
  
  for example, 

  | concat(some_object, cleaned_up_key) as my_json_object

  0

  Comment actions Permalink

Please sign in to leave a comment.