JSON Extract
The JSON Extract rule promotes a nested JSON field to a top-level metadata field, making it available for filtering and aggregation.
When to Use
- Your logs are already in JSON format.
- The value you need for filtering or grouping is nested inside an object.
- You want to use a nested value in dashboards, alerts, or quick filters without writing a regex.
JSON Extract vs. Extract
| JSON Extract | Extract | |
|---|---|---|
| Input format | JSON logs | Any text or field value |
| How it finds the value | JSON key path (dot notation) | Regex pattern |
| Best for | Structured JSON logs with nested fields | Semi-structured or unstructured text |
Fields
| Field | Required | Description |
|---|---|---|
| Name | Yes | Rule identifier |
| Json Key | Yes | Dot-notation path to the nested field (e.g., data.request.userId) |
| Destination Field | Yes | The top-level metadata field to assign the value to (selected from dropdown) |
How It Works
The rule traverses the JSON log using the dot-separated key path. If the key exists, its value is written to the specified destination metadata field. The original nested field remains unchanged.
Examples
Promote User ID
Input log:
{
"timestamp": "2026-03-10T13:55:36Z",
"data": {
"request": {
"userId": "usr_12345",
"action": "checkout"
}
}
}- Json Key:
data.request.userId - Destination Field:
user_id
Result: usr_12345 is now accessible as the top-level user_id metadata field, usable in filters and aggregations.
Promote Error Code
Input log:
{
"level": "error",
"error": {
"code": "TIMEOUT_EXCEEDED",
"details": "Connection to DB timed out after 30s"
}
}- Json Key:
error.code - Destination Field:
error_code
Result: TIMEOUT_EXCEEDED is promoted to a top-level error_code field.
Tips
- Use dot notation to access nested keys:
parent.child.grandchild. - If the key path doesn't exist in a log, the rule is skipped for that log — no error is raised.
- JSON Extract is simpler and more reliable than regex-based extraction when your logs are already JSON.