Learn more about the Cortex Query Language json_extract_scalar_array()
function.
Important
Before using this JSON function, it's important that you understand how Cortex XSIAM treats a JSON in the Cortex Query Language. This function doesn't have a syntatic sugar format. For more information, see JSON functions.
Syntax
json_extract_scalar_array(<json_array_string>, <json_path>)
Important
When a Cortex Data Model (XDM) field is used in the <json_path>
and contains a dot (.
) character, such as xdm.source.host.device_id
, use the syntax:
json_extract_scalar_array(<json_array_string>, "['<json_field>']")
All other characters in the <json_path>
, such as colon (:
), and should be escaped as it's an invalid JSON path, are currently unsupported.
Description
The json_extract_scalar_array()
function accepts a string representing a JSON array, and returns an XQL-native array. This function is equivalent to the json_extract_array except that the final output isn't displayed in double quotes ("..."). To convert a string field to a JSON object, use the to_json_string function.
Important
JSON field names are case sensitive, so the key to field pairing must be identical in an XQL query for results to be found. For example, if a field value is "TIMESTAMP"
and your query is defined to look for "timestamp", no results will be found.