To boolean (bool)

Description

Transforms the JSON objects in a specified json field into boolean data type. Note that you must first extract a part of the JSON that represents a Boolean value (true, false) using the Jq evaluation (jqeval) operation.

How does it work in the search window?

Select Create column in the search window toolbar, then select the To boolean operation. You need to specify one argument:

The data type of the values in the new column is boolean.

Example

We have the following JSON string to parse in the siem.logtrust.web.activity table:

{"str": "hello", "int": 1, "float": 2.5, "boolean": true, "array": [1,2,3], "object": {"a": 5}}

And we want to generate a column that transforms the Boolean value into boolean data type. To do it, the first step is transforming the string into a json data type column, and then using the Jq evaluation (jqeval) operation to extract the Boolean parts from the JSON objects.

Step 1: Transform the JSON string into json data type

We use the To json (jsonparse) operation and enter the JSON string we want to use to get a column representing it in json data type.

Open

Step 2: Extract the Boolean value from the JSON objects

Then, we use the Jq evaluation (jqeval) operation to extract the Boolean part of the JSON objects in a new column, in json data type. These are the required arguments:

• jq -  Click the pencil icon and enter .boolean

• json - json column

Open

Step 3: Transform the Boolean values into boolean data type

Finally, we use the To boolean operation to transform the boolean representations in json data type into boolean data type. 

You will see the following result:

How does it work in LINQ?

Use the operator select... as...  and add the operation syntax to create the new column. This is the syntax for the To boolean operation:

• bool(json_boolean)

Example

You can copy the following LINQ script and try the previous example on the siem.logtrust.web.activity table.