json_extract_scalar_array - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-02-17
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language json_extract_scalar_array() function.

Important

Before using this JSON function, it's important that you understand how Cortex XSIAM treats a JSON in the Cortex Query Language. This function doesn't have a syntatic sugar format. For more information, see JSON functions.

Syntax
json_extract_scalar_array(<json_array_string>, <json_path>)

Important

When a Cortex Data Model (XDM) field is used in the <json_path> and contains a dot (.) character, such as xdm.source.host.device_id, use the syntax:

json_extract_scalar_array(<json_array_string>, "['<json_field>']")

All other characters in the <json_path>, such as colon (:), and should be escaped as it's an invalid JSON path, are currently unsupported.

Description

The json_extract_scalar_array() function accepts a string representing a JSON array, and returns an XQL-native array. This function is equivalent to the json_extract_array except that the final output isn't displayed in double quotes ("..."). To convert a string field to a JSON object, use the to_json_string function.

Important

JSON field names are case sensitive, so the key to field pairing must be identical in an XQL query for results to be found. For example, if a field value is "TIMESTAMP" and your query is defined to look for "timestamp", no results will be found.

Example