Hi Team, I have searched and did lots of trial and run but I am not able to find the answer to extract fields from JSON, I was referring to this post as I have similar JSON :
My JSON is quite huge and has important information inside so won’t be able to post the data directly but would be ready to get the insight on whatever required
The main problem is my nested JSON fields needs escape character to become valid I am not sure how I can handle this in graylog
Hello @jhonbanegadon
Have you looked into select_jsonpath() as a function, it might be of assistance here.
I’m unsure what you mean by “JSON fields needs escape character to become valid”, a sanitised example of what you are working with and your current rule would be useful.
Hi @Wine_Merchant sorry for the late response, I was stuck into something else. As I said before my JSON is huge:
{
"call_type":"na",
"last_updated_timestamp":"1718870393",
"details":"{\"Call\":{\"SerialNumber\": \"dd7c03c4-05a6-48f4\",\"BoxSerialNumber\": \"a93669e3-3d5e\",\"Tag\": \"15c66b5f-40c5\",\"SIPVariant\": \"Standards-based\",\"State\": \"Disconnected\",\"StartTime\": \"2024-06-20 13:28:15.373091\",\"InitialCall\": \"True\",\"Licensed\": \"True\",\"LicensedAsTraversal\": \"True\",\"SourceAlias\": \"sip:user2@example.com\",\"DestinationAlias\": \"sip:user1@example.com\",\"ToLocal\": \"True\",\"Audio\": \"False\",\"License\":{\"Traversal\": \"0\",\"NonTraversal\": \"0\",\"DemotedTraversal\": \"0\",\"CollaborationEdge\": \"0\",\"Cloud\": \"2\",\"MicrosoftContent\": \"0\",\"MicrosoftIMP\": \"0\"},\"Duration\": \"98\",\"Legs\":[{\"Leg\":{\"Protocol\": \"SIP\",\"SIP\":{\"Address\": \"1.1.1.1:7001\",\"Transport\": \"TLS\",\"Aliases\":[{\"Alias\":{\"Type\": \"Url\",\"Origin\": \"Unknown\",\"Value\": \"sip:user1@example.com\"}}]},\"Targets\":[{\"Target\":{\"Type\": \"Url\",\"Origin\": \"Unknown\",\"Value\": \"sip:user1@example.com\"}}],\"BandwidthNode\": \"test\",\"EncryptionType\": \"None\",\"Cause\": \"200\",\"Reason\": \"OK\"}},{\"Leg\":{\"Protocol\": \"SIP\",\"SIP\":{\"Address\": \"2.2.2.2:5061\",\"Transport\": \"TLS\",\"Aliases\":[{\"Alias\":{\"Type\": \"Url\",\"Origin\": \"Unknown\",\"Value\": \"sip:user1@example.com\"}}]},\"BandwidthNode\": \"node1\"}},{\"Leg\":{\"Protocol\": \"SIP\",\"SIP\":{\"Address\": \"3.3.3.3:5071\",\"Transport\": \"TLS\",\"Aliases\":[{\"Alias\":{\"Type\": \"Url\",\"Origin\": \"Unknown\",\"Value\": \"sip:user1@example.com\"}}]},\"BandwidthNode\": \"node1\",\"EncryptionType\": \"AES\",\"Cause\": \"200\",\"Reason\": \"OK\"}}],\"Sessions\":[{\"Session\":{\"Status\": \"Replaced\",\"MediaRouted\": \"True\",\"CallRouted\": \"True\",\"Participants\":{\"Leg\": \"1\",\"Leg\": \"2\",\"Incoming\":{\"Leg\": \"1\"},\"Outgoing\":{\"Leg\": \"2\"}},\"Bandwidth\":{\"Requested\": \"0\",\"Allocated\": \"0\"}}},{\"Session\":{\"Status\": \"Completed\",\"MediaRouted\": \"False\",\"CallRouted\": \"True\",\"Participants\":{\"Leg\": \"1\",\"Leg\": \"3\",\"Incoming\":{\"Leg\": \"1\"},\"Outgoing\":{\"Leg\": \"3\"}},\"Bandwidth\":{\"Requested\": \"16064\",\"Allocated\": \"6000\"},\"Route\":[{\"Hop\":{\"Zone\": \"zone1\"}},{\"Hop\":{\"Link\": \"zone2\"}},{\"Hop\":{\"Zone\": \"TraversalSubZone\"}},{\"Hop\":{\"Link\": \"Zone006ToTraversalSZ\"}},{\"Hop\":{\"Zone\": \"zone2\"}}]}}],\"EndTime\": \"2024-06-20 13:29:53.412594\"}}",
"disconnect_reason":"200 OK",
"non_tokens":"0",
"license_tokens":"0",
"audio":"false",
"rdp":"false",
"media_routed":"true",
"ms_conversation_id":"",
"sip_variant":"Standards-based",
"protocol":"SIP <-> SIP",
"protocol_summary":"Multiple components",
"bside_request_uri":"",
"aside_request_uri":"",
"bside_destination_alias":"",
"aside_destination_alias":"",
"destination_alias":"sip:user1.room@example.com",
"source_alias":"sip:user2@example.com",
"end_time":"2024-06-20 13:29:53.412594",
"start_time":"2024-06-20 13:28:15.373091",
"box_call_serial_number":"a93669e3-3d5e-444e",
"tag":"15c66b5f-40c5-42f0",
"status":"Disconnected",
"licensed_as":"true",
"licensed":"true",
"initial_call":"true",
"active":"false",
"service_uuid":"e6723fd0-5ca2-6rf5d",
"uuid":"dd7c03c4-05a6-48f4"
}
Now this is valid JSON modified by online tools : https://jsonformatter.curiousconcept.com/#
Now I get the json without unescaped character but when I put into the tool, it adds unescape character automatically only for details keyword. Please let me know how can I handle this json in graylog. Thank you
Hello everyone, could somebody help on this please ?
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.