Json value type (label)
Description
Returns the data type of the value inside a JSON object. Note that you must first extract the value from the JSON using the Jq evaluation (jqeval) operation. This operation is helpful when you want to convert the data type of the extracted value and you need to know which one is appropriate.
Alternatively, you can quickly check the data types and transform them, even without previously extracting them, using the pretty-print view (more info in the article Working with JSON objects in data tables).
How does it work in the search window?
Select Create field in the search window toolbar, then select the Json value type operation. You need to specify one argument:
Argument | Data type |
---|---|
Json to get the type mandatory | json |
The data type of the values in the new field is string.
Example 1
In this example, in the siem.logtrust.web.activity
table, we will perform the To json (jsonparse) operation to obtain the JSON below (1) and the Jq evaluation (jqeval) operation to extract one value from it (2):
select jsonparse(
{"name":"John","birth":"1986-12-14","city":"New York"}
) as …select jqeval(jqcompile
("city"),
json) as ...
After that, we want to know the data type of the extracted value:
Click the Create field button on the toolbar, select the Json value type (label) operation and give the new field a name.
Add the necessary argument and configure it as shown in the picture below:
Json to get the type → City
Click Create field and a new field will be created indicating the data type of the city value.
Example 2
In this example, in the siem.logtrust.web.activity
table, we will perform the To json (jsonparse) operation to obtain the JSON below (1) and the Jq evaluation (jqeval) operation to extract each value in a different field (2):
select jsonparse
({"str": "hello", "int": 1, "float": 2.5, "boolean": true, "array": [1,2,3], "object": {"a": 5}}
) as …select jqeval(jqcompile
(str, int, float, boolean, array, object)
, json) as ...
Then, we will use the Json value type (label) operation to get the data type of each value. We will start with the boolean field:
Click the Create field button on the toolbar, select the Json value type (label) operation and give the new field a name.
Add the necessary argument and configure it as shown in the picture below:
Json to get the type → jsonBoolean
Click Create field and a new field will be created indicating the data type of the boolean field.
Repeat the same step with all the fields extracted from the JSON and you will get the following result:
How does it work in LINQ?
Use the operator select
... as
... and add the operation syntax to create the new field. This is the syntax for the Json value type operation:
label(json_value)
Example 1
You can use the following LINQ script to recreate example 1 in any table (for example, in siem.logtrust.web.activity
):
from siem.logtrust.web.activity
select jsonparse("{ \"name\":\"John\", \"birth\":\"1986-12-14\", \"city\":\"New York\"}") as Json
select jqeval(jqcompile(".city"), Json) as City
select label(City) as CityLabel
Example 2
You can use the following LINQ script to recreate example 2 in any table (for example, in siem.logtrust.web.activity
):
from siem.logtrust.web.activitysiem.logtrust.web.activitysiem.logtrust.web.activitysiem.logtrust.web.activitysiem.logtrust.web.activitysiem.logtrust.web.activity
select jsonparse("{\"str\": \"hola\", \"int\": 1, \"float\": 2.5, \"boolean\": true, \"array\": [1,2,3], \"object\": {\"a\": 5}}") as json
select jqeval(jqcompile(".str"), json) as jsonStr,
jqeval(jqcompile(".int"), json) as jsonInt,
jqeval(jqcompile(".float"), json) as jsonFloat,
jqeval(jqcompile(".boolean"), json) as jsonBoolean,
jqeval(jqcompile(".array"), json) as jsonArray,
jqeval(jqcompile(".object"), json) as jsonObject
select label(jsonStr) as labelStr,
label(jsonInt) as labelInt,
label(jsonFloat) as labelFloat,
label(jsonBoolean) as labelBoolean,
label(jsonArray) as labelArray,
label(jsonObject) as labelObject