Contribute in GitHub:
Edit online
extract_json(), extractjson()
Get a specified element out of a JSON text using a path expression.
Optionally convert the extracted string to a specific type.
Note
The extract_json() and extractjson() functions are interpreted equivalently.
extract_json("$.hosts[1].AvailableMB", EventText, typeof(int))
Syntax
extract_json(jsonPath, dataSource, type)
extractjson(jsonPath, dataSource, type)
Arguments
- jsonPath: JSONPath string that defines an accessor into the JSON document.
- dataSource: A JSON document.
- type: An optional type literal (for example, typeof(long)). If provided, the extracted value is converted to this type.
Returns
This function performs a JSONPath query into dataSource, which contains a valid JSON string, optionally converting that value to another type depending on the third argument.
Example
Note
Change the variables to ensure they reflect logs in your system.
The [bracket] notation and dot (.) notation are equivalent:
T
| extend value_extracted = extract_json("$.hosts[1].AvailableMB", payload, typeof(int))
T
| extend value_extracted = extract_json("$['hosts'][1]['AvailableMB']", payload, typeof(int))
Example 2
The [bracket] notation and dot (.) notation are equivalent:
events
| project original_time, data_source_name, payload,event_uuid
//--- Search for the last 5 minutes of data
| where original_time > ago(5m) and payload contains '{' and event_uuid == 'xxxxxxxx-xxxxxxxx'
| project e = extract_json('$.variable.full.path', payload, typeof(string))
| take 10000
Performance tips
- Apply where-clauses before using
extract_json() - Consider using a regular expression match with extract instead. This can run very much faster, and is effective if the JSON is produced from a template.
- Use
parse_json()if you need to extract more than one value from the JSON. - Consider having the JSON parsed at ingestion by declaring the type of the column to be dynamic.