JSONPath expressions

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

JSONPath notation describes the path to one or more elements in a JSON document.

The JSONPath notation is used in the following scenarios:

The following subset of the JSONPath notation is supported:

Path expression Description
$ Root object
. Selects the specified property in a parent object.
Use this notation if the property doesn't contain special characters.
['property'] or ["property"] Selects the specified property in a parent object. Make sure you put single quotes or double quotes around the property name.
Use this notation if the property name contains special characters, such as spaces, or begins with a character other than A..Za..z_.
[n] Selects the n-th element from an array. Indexes are 0-based.

Note

Wildcards, recursion, union, slices, and current object are not supported.

Example

Given the following JSON document:

{
  "Source": "Server-01",
  "Timestamp": "2023-07-25T09:15:32.123Z",
  "Log Level": "INFO",
  "Message": "Application started successfully.",
  "Details": {
    "Service": "AuthService",
    "Endpoint": "/api/login",
    "Response Code": 200,
    "Response Time": 54.21,
    "User": {
      "User ID": "user123",
      "Username": "kiana_anderson",
      "IP Address": "192.168.1.100"
    }
  }
}

You can represent each of the fields with JSONPath notation as follows:

"$.Source"                     // Source field
"$.Timestamp"                  // Timestamp field
"$['Log Level']"               // Log Level field
"$.Message"                    // Message field
"$.Details.Service"            // Service field
"$.Details.Endpoint"           // Endpoint field
"$.Details['Response Code']"   // Response Code field
"$.Details['Response Time']"   // Response Time field
"$.Details.User['User ID']"    // User ID field
"$.Details.User.Username"      // Username field
"$.Details.User['IP Address']" // IP Address field