Expressions in JSON format for structured data

Structured data in JSON format contains one or more properties, which are represented as a key-value pair.

About this task

You can extract properties from event data that is presented in JSON format by writing a JSON expression that matches the property. The JSON expression must be a path in the format of /"<name of top-level field>".

For example, you have event data that is formatted in JSON:


{ "action": "login", "user": "John Doe" }

or an event that has a nested JSON format, such as:

{ "action": "login", "user": { "first_name": "John", "last_name": "Doe" } }

Procedure

To extract properties from event data, choose one of the following methods:

To extract the 'user' property for event data that is formatted in JSON, type the expression /"user" in the Expression field.
To extract the 'last_name' of the user for an event that has a nested JSON format, type the expression /"user"/"last_name" in the Expression field.