Solved: JSON parsing: fieldsAdd or

ghfsa · ‎29 Apr 2024

I have a DQL which filters down to one of two possible JSONs:

content = {"code":"an_error_code","error":{"code":"an_error_code","message":"An error message appears here..."}

or

content = {"level":"error","message":"Some error here..."}

The output I want is: timestamp + error code (or empty string) + error message. So far, I have:

fetch logs
| filter k8s.namespace.name == "default"
| filter contains(content, "error")
| parse content, "JSON:parsedJSON"
| fieldsAdd error_code = parsedJSON[error][code], error_message = (parsedJSON[message] or parsedJSON[error][message])

FranciscoGarcia · ‎10 May 2024

This should do it

data record(timestamp=now(), content = """{"code":"an_error_code","error":{"code":"an_error_code","message":"An error message appears here..."}}"""),
     record(timestamp=now(), content = """{"level":"error","message":"Some error here..."}""")

| parse content, "JSON:parsedJSON"
| fieldsAdd error_code = parsedJSON[error][code], error_message = if (isNull(parsedJSON[message]), parsedJSON[error][message], else:parsedJSON[message])
| fieldsAdd output=concat(toString(timestamp),"--- ",error_code, " ",error_message )
| fields output

FranciscoGarcia · ‎10 May 2024

krzysztof_hoja · ‎10 May 2024

Simpler way to express:

error_message = if (isNull(parsedJSON[message]), parsedJSON[error][message], else:parsedJSON[message])

is using coalesce function

error_message =coalesce(parsedJSON[message], parsedJSON[error][message])

Kris