JSONPath expressions
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
JSONPath notation describes the path to one or more elements in a JSON document.
The JSONPath notation is used in the following scenarios:
- To specify data mappings for ingestion
- To specify data mappings for external tables
- In Kusto Query Language (KQL) functions that process dynamic objects, like bag_remove_keys() and extract_json()
The following subset of the JSONPath notation is supported:
Path expression | Description |
---|---|
$ |
Root object |
. |
Selects the specified property in a parent object. Use this notation if the property doesn't contain special characters. |
['property'] or ["property"] |
Selects the specified property in a parent object. Make sure you put single quotes or double quotes around the property name. Use this notation if the property name contains special characters, such as spaces, or begins with a character other than A..Za..z_ . |
[n] |
Selects the n-th element from an array. Indexes are 0-based. |
Note
Wildcards, recursion, union, slices, and current object are not supported.
Example
Given the following JSON document:
{
"Source": "Server-01",
"Timestamp": "2023-07-25T09:15:32.123Z",
"Log Level": "INFO",
"Message": "Application started successfully.",
"Details": {
"Service": "AuthService",
"Endpoint": "/api/login",
"Response Code": 200,
"Response Time": 54.21,
"User": {
"User ID": "user123",
"Username": "kiana_anderson",
"IP Address": "192.168.1.100"
}
}
}
You can represent each of the fields with JSONPath notation as follows:
"$.Source" // Source field
"$.Timestamp" // Timestamp field
"$['Log Level']" // Log Level field
"$.Message" // Message field
"$.Details.Service" // Service field
"$.Details.Endpoint" // Endpoint field
"$.Details['Response Code']" // Response Code field
"$.Details['Response Time']" // Response Time field
"$.Details.User['User ID']" // User ID field
"$.Details.User.Username" // Username field
"$.Details.User['IP Address']" // IP Address field