Given multiple columns, create a single JSON column from them.
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter Columns to Json operator in the search field and select the operator from the Results to open the operator form.
- In the Input Table drop-down, enter or select the table containing the data to run this operator on.
- In the List of Columns drop-down, enter or select the list of columns to create a JSON column. You can add multiple columns using comma-separated values.
- Click Run to view the result.
- Click Save to add the operator to the playbook.
- Click Cancel to discard the operator form.
Usage Details
LQL Command
columnsToJson(table, columns)
table
: Table name
columns
: Comma-separated list of columns, such as "col1, col2, col3"
Example
Input
table
: field1, field2, field3
With "field1, field2, field3" as arguments, this operator creates lhub_json_column
column with a JSON object in it.
You can extract the values using the query get_json_object(lhub_json_column, '$.field1')
in LQL.
sourceIP | sourcePort |
---|---|
1.1.1.1 | 2023 |
LQL command
columnsToJson(table, "sourceIP, sourcePort")
Output
sourceIP | sourcePort | lhub_json_column |
---|---|---|
1.1.1.1 | 2023 | {"sourceIP":"1.1.1.1", "sourcePort":2023} |