parse_json function interprets a string as JSON and returns the value as a dynamic object. Use this function to extract structured data from JSON-formatted log entries, API responses, or configuration values stored as JSON strings.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.Splunk SPL users
Splunk SPL users
In Splunk SPL, you use
spath to parse JSON. APL’s parse_json provides similar functionality with dynamic object support.ANSI SQL users
ANSI SQL users
In ANSI SQL, JSON parsing varies by database with different functions. APL’s
parse_json provides standardized JSON parsing.Usage
Syntax
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| json_string | string | Yes | A string containing valid JSON to parse. |
Returns
Returns a dynamic object representing the parsed JSON. If the JSON is invalid, returns the original string.Use case examples
- Log analysis
- OpenTelemetry traces
- Security logs
Parse JSON-formatted log messages to extract specific fields for analysis.QueryRun in PlaygroundOutput
This query parses JSON-formatted metadata from logs to extract performance metrics like response time and cache hit status.
| _time | response_time | cache_hit | endpoint | status |
|---|---|---|---|---|
| 2024-11-06T10:00:00Z | 145 | true | /api/users | 200 |
| 2024-11-06T10:01:00Z | 145 | true | /api/users | 200 |
List of related functions
- parse_url: Parses URLs into components. Use this specifically for URL parsing rather than general JSON.
- parse_csv: Parses CSV strings. Use this for comma-separated values rather than JSON.
- todynamic: Alias for parse_json. Use either name based on your preference.
- gettype: Returns the type of a value. Use this to check the types of parsed JSON fields.