spath command: Examples

Extract nested JSON data from an existing field

The following example shows how to extract nested JSON data:

Suppose you run the following search, which creates a nested JSON object about cooperative board games.

$games = from [ {"category": [ {"boardgames": [ { "cooperative": [ { "name": "Pandemic"}, { "name": "Forbidden Island"}, { "name": "Castle Panic"} ] } ] } ] } ]

You can add the spath command to a search to extract a specific value from the object. In this example the game Forbidden Island is extracted:

$games = from [ {"category": [ {"boardgames": [ { "cooperative": [ { "name": "Pandemic"}, { "name": "Forbidden Island"}, { "name": "Castle Panic"} ] } ] } ] } ] | spath input=games output=favorite_game path=category.boardgames.cooperative{1}

Extracting information by specifying an output field and path

The following example shows how to specify an output field and path:

... | spath output=myfield path="server.name"

Extracting information by specifying an output field and path with a wildcard for JSON data

The following example shows how to specify an output field and path with a wildcard for JSON data:

... | spath output=commit_author path="commits{}.author.name"

Extracting the value of the locale attribute in XML data

The following example shows how to extract the value of the locale attribute in XML data. Because the output field name contains a special character, a period ( . ), the field name must be enclosed in quotation marks.

... | spath output="locDesc.locale" path="vendorProductSet.product.desc.locDesc{@locale}"

Extracting data from a JSON file using the auto-extract mode

Consider the following example of JSON in an event:

json
{
   "vendorProductSet" : {
      "product" : [
         {"desc" : 1},
         {"locDesc" : 2}
      ],
      "year" : 2026
    }
}

The following is an example of using the spath command in a search without the optional parameters:

... | spath

This search extracts and creates the following field-value pairs:

See also