JSON Structure

JSON structured logs are regularly produced by software components and are promoted as a logging best practice. JSON formatted logs are easily produced and consumed by a variety of software components and are human readable.

To expand the JSON format in Log Search, enable the Expand JSON option under the Log display section. Enabling this option will make a valid JSON log message appear as an expanded JSON object.

basic

JSON Parsing Specification

The system will automatically parse JSON formatted log events formatted in compliance with the JSON Specification (IETF RFC 4627). To take advantage of the prettification option, the entry must be a single object ({ … }) or array of JSON objects. JSON objects that appear embedded in unstructured data will still have their keys recognised but you will not be able to expand the JSON hierarchy. Note

If there is multiple keys which share the same name in a JSON object then the parser will interpret the last key as the correct key.

basic

Nested JSON

You can use the JSON hierarchy for queries and alerts. For example if you’re sending logs like the below example.

json
1
{
2
"volume": "blaring",
3
"current" : {
4
"band": "rednex",
5
"song": "cotton eye joe",
6
"members":[
7
{"firstname":"Kent","lastname":"Olander"},
8
{"firstname":"Urban","lastname":"Landgren"},
9
{"firstname":"Jonas","lastname":"Lundstrom"},
10
{"firstname":"Tor","lastname":"Nilsson"}
11
]
12
},
13
"next" : {
14
"band": "the dubliners",
15
"song": "finnegan's wake",
16
"members":[
17
{"firstname":"Ronnie","lastname":"Drew"},
18
{"firstname":"Luke","lastname":"Kelly"},
19
{"firstname":"Ciaran","lastname":"Bourke"},
20
{"firstname":"Barney","lastname":"McKenna"}
21
]
22
}
23
}

We use dot notation for nested objects and integers for array positions. Below we have provided some example queries using the dot notation and array positions you may find helpful.

basic

Example Queries

You want to find when the volume is blaring

where(volume="blaring")

You want to find when current band is Rednex.

where(current.band = "rednex")

You want to find a member of the Dubliners named “Ciaran”

where(next.members.2.firstname = "Ciaran")

Here are more examples of queries and the resulting matches based on the log message example above.

JSON dot notation

matches

current.band

rednex

current.song

cotton eyed joe

current.members

“”

current.members.0

“”

current.members.1.firstname

Urban

current.members.2.lastname

Lundstrom

basic

Alerting

You can set up an alert if someone tries to stick some Nickelback on with a pattern like “next.band”=”nickelback” this could tag the messages or send an email based on the tag or alert set up.

basic

Notes

  • Json entries whose depth is more than 10 levels are not supported. They will not be parsed. Nested keys are resolved fully before they are stored, i.e. current.members is not a key

  • Any pre-existing alerts or saved queries may need to be updated. If there are any alerts or queries that search against child objects, (e.g. where(band) in the example above), the change could break your queries.

  • We suggest to update your queries to support both old and new query. So using the example above, you could query for where(band OR current.band).