spath

Extract fields from JSON or XML data. Parse structured data within text fields.

Description

The spath command extracts values from JSON or XML formatted fields using path expressions. This is useful when logs contain embedded JSON/XML that wasn't parsed at ingestion time.

Syntax

... | spath [input=<field>] [output=<field>] [path=<path>]

Optional Arguments

input
Syntax: input=<field>
Description: Field containing JSON/XML data
Default: _raw or message

output
Syntax: output=<field>
Description: Name for extracted field

path
Syntax: path=<jsonpath>
Description: JSON path to extract (e.g., user.name, data[0].id)

Examples

Auto-extract all JSON fields

* | spath

Extract specific path

* | spath path=user.email output=email

Extract from custom field

* | spath input=json_data path=response.status output=status

Extract nested value

* | spath path=metadata.user.id output=user_id

Extract array element

* | spath path=items[0].name output=first_item

Multiple extractions

* | spath path=user.name output=username
  | spath path=user.email output=email
  | spath path=user.role output=role

Usage Notes

Auto-detection: Without arguments, attempts to auto-extract all JSON fields.

JSON path: Use dot notation for nested objects, brackets for arrays.

Performance: Parsing JSON/XML at query time is slower than ingestion-time parsing.

Alternative: Configure proper parsing at ingestion for better performance.

rex - Extract with regex
eval - Transform extracted values

spath

On this page