Not able to extract fields from nested json

Hi Team, I have searched and did lots of trial and run but I am not able to find the answer to extract fields from JSON, I was referring to this post as I have similar JSON :

My JSON is quite huge and has important information inside so won’t be able to post the data directly but would be ready to get the insight on whatever required

The main problem is my nested JSON fields needs escape character to become valid I am not sure how I can handle this in graylog

Hello @jhonbanegadon

Have you looked into select_jsonpath() as a function, it might be of assistance here.

I’m unsure what you mean by “JSON fields needs escape character to become valid”, a sanitised example of what you are working with and your current rule would be useful.

Hi @Wine_Merchant sorry for the late response, I was stuck into something else. As I said before my JSON is huge:


{
"call_type":"na",
   "last_updated_timestamp":"1718870393",
   "details":"{\"Call\":{\"SerialNumber\": \"dd7c03c4-05a6-48f4\",\"BoxSerialNumber\": \"a93669e3-3d5e\",\"Tag\": \"15c66b5f-40c5\",\"SIPVariant\": \"Standards-based\",\"State\": \"Disconnected\",\"StartTime\": \"2024-06-20 13:28:15.373091\",\"InitialCall\": \"True\",\"Licensed\": \"True\",\"LicensedAsTraversal\": \"True\",\"SourceAlias\": \"sip:user2@example.com\",\"DestinationAlias\": \"sip:user1@example.com\",\"ToLocal\": \"True\",\"Audio\": \"False\",\"License\":{\"Traversal\": \"0\",\"NonTraversal\": \"0\",\"DemotedTraversal\": \"0\",\"CollaborationEdge\": \"0\",\"Cloud\": \"2\",\"MicrosoftContent\": \"0\",\"MicrosoftIMP\": \"0\"},\"Duration\": \"98\",\"Legs\":[{\"Leg\":{\"Protocol\": \"SIP\",\"SIP\":{\"Address\": \"1.1.1.1:7001\",\"Transport\": \"TLS\",\"Aliases\":[{\"Alias\":{\"Type\": \"Url\",\"Origin\": \"Unknown\",\"Value\": \"sip:user1@example.com\"}}]},\"Targets\":[{\"Target\":{\"Type\": \"Url\",\"Origin\": \"Unknown\",\"Value\": \"sip:user1@example.com\"}}],\"BandwidthNode\": \"test\",\"EncryptionType\": \"None\",\"Cause\": \"200\",\"Reason\": \"OK\"}},{\"Leg\":{\"Protocol\": \"SIP\",\"SIP\":{\"Address\": \"2.2.2.2:5061\",\"Transport\": \"TLS\",\"Aliases\":[{\"Alias\":{\"Type\": \"Url\",\"Origin\": \"Unknown\",\"Value\": \"sip:user1@example.com\"}}]},\"BandwidthNode\": \"node1\"}},{\"Leg\":{\"Protocol\": \"SIP\",\"SIP\":{\"Address\": \"3.3.3.3:5071\",\"Transport\": \"TLS\",\"Aliases\":[{\"Alias\":{\"Type\": \"Url\",\"Origin\": \"Unknown\",\"Value\": \"sip:user1@example.com\"}}]},\"BandwidthNode\": \"node1\",\"EncryptionType\": \"AES\",\"Cause\": \"200\",\"Reason\": \"OK\"}}],\"Sessions\":[{\"Session\":{\"Status\": \"Replaced\",\"MediaRouted\": \"True\",\"CallRouted\": \"True\",\"Participants\":{\"Leg\": \"1\",\"Leg\": \"2\",\"Incoming\":{\"Leg\": \"1\"},\"Outgoing\":{\"Leg\": \"2\"}},\"Bandwidth\":{\"Requested\": \"0\",\"Allocated\": \"0\"}}},{\"Session\":{\"Status\": \"Completed\",\"MediaRouted\": \"False\",\"CallRouted\": \"True\",\"Participants\":{\"Leg\": \"1\",\"Leg\": \"3\",\"Incoming\":{\"Leg\": \"1\"},\"Outgoing\":{\"Leg\": \"3\"}},\"Bandwidth\":{\"Requested\": \"16064\",\"Allocated\": \"6000\"},\"Route\":[{\"Hop\":{\"Zone\": \"zone1\"}},{\"Hop\":{\"Link\": \"zone2\"}},{\"Hop\":{\"Zone\": \"TraversalSubZone\"}},{\"Hop\":{\"Link\": \"Zone006ToTraversalSZ\"}},{\"Hop\":{\"Zone\": \"zone2\"}}]}}],\"EndTime\": \"2024-06-20 13:29:53.412594\"}}",
   "disconnect_reason":"200 OK",
   "non_tokens":"0",
   "license_tokens":"0",
   "audio":"false",
   "rdp":"false",
   "media_routed":"true",
   "ms_conversation_id":"",
   "sip_variant":"Standards-based",
   "protocol":"SIP <-> SIP",
   "protocol_summary":"Multiple components",
   "bside_request_uri":"",
   "aside_request_uri":"",
   "bside_destination_alias":"",
   "aside_destination_alias":"",
   "destination_alias":"sip:user1.room@example.com",
   "source_alias":"sip:user2@example.com",
   "end_time":"2024-06-20 13:29:53.412594",
   "start_time":"2024-06-20 13:28:15.373091",
   "box_call_serial_number":"a93669e3-3d5e-444e",
   "tag":"15c66b5f-40c5-42f0",
   "status":"Disconnected",
   "licensed_as":"true",
   "licensed":"true",
   "initial_call":"true",
   "active":"false",
   "service_uuid":"e6723fd0-5ca2-6rf5d",
   "uuid":"dd7c03c4-05a6-48f4"
}

Now this is valid JSON modified by online tools : https://jsonformatter.curiousconcept.com/#

Now I get the json without unescaped character but when I put into the tool, it adds unescape character automatically only for details keyword. Please let me know how can I handle this json in graylog. Thank you

Hello everyone, could somebody help on this please ?