json
Shorthand command for extracting fields from JSON data. Equivalent to unpack_json with a simpler syntax for common use cases.
Syntax
| json [field=<field>] [<path1>, <path2>, ...]
Arguments
| Argument | Default | Description |
|---|---|---|
field | _raw | Source field containing JSON text |
| paths | (all) | Optional list of specific JSON keys to extract |
Examples
-- Extract all JSON fields from _raw
| json
-- Extract from a specific field
| json field=message
-- Extract specific paths only
| json level, status, duration_ms
-- Chain with filtering
| json | where level="error" | stats count by service
-- Extract from nested JSON (combined with dot-notation)
| json | where response.status >= 500
Notes
| jsonis a convenience alias for| unpack_json. For advanced options likeprefixorkeep_original, useunpack_jsondirectly.- When paths are specified, only those keys are extracted, improving performance for wide JSON objects.
jsonis a streaming operator -- it processes events one at a time without buffering.- Works seamlessly with dot-notation for accessing nested fields after extraction.
See Also
- unpack_json -- Full JSON extraction with all options
- JSON Functions -- json_extract, json_keys, json_valid, etc.
- Working with JSON Logs -- Comprehensive JSON processing guide