In an event field mapping configuration, the source field—continuing from the root context defined by the Main Event JSON Path—specifies how to retrieve the desired data from the ingested payload. Because the payload is a JSON structure, it is useful to understand the types of JSONPath expressions that can be used for the source field.
Understanding JSONPath Traversal
Locating specific data within a JSON structure requires navigation through its hierarchical levels, including fields within objects and elements within arrays. This navigation process is referred to as traversal. A JSONPath expression is used to perform such traversal within the structure.
Evaluates each item from the immediately preceding path step—whether from an array or object—against the condition inside [?()], and returns the items for which the condition is true.
Copy the request information to Postman, then select a preprocessing playbook under the Additional Settings accordion.
Send the POST request on Postman.
Verify that an event was created in the Data Ingestion module.
Note the eventId number.
Navigate to the Investigation Dashboard page.
Select the site in which the API key was generated in step 6.
Locate the event with an ID matching the one observed in step 10, then click on the event to view its details.
Verify that the value extraction for the "target" field is displayed adjacent to the custom field configured in step 4.
Example 3 - Mixed Dot and Bracket Notation
OBJECTIVE – Demonstrate the mix use of dot and bracket notation to extract the "target" field from the ingested JSON payload.
Navigate to the Fetch Event command of the Zendesk integration.
Click on the Set Up Event Field Extraction Mapping button.
Note the Main Event JSONPath expression (i.e., root context).
Select the Event Source for Organization option within the dropdown, then add a new field with any of the following sample source field values: SAMPLE 1
Copy the request information to Postman, then select a preprocessing playbook under the Additional Settings accordion.
Send the POST request on Postman.
Verify that an event was created in the Data Ingestion module.
Note the eventId number.
Navigate to the Investigation Dashboard page.
Select the site in which the API key was generated in step 6.
Locate the event with an ID matching the one observed in step 10, then click on the event to view its details.
Verify that the value extraction for the "target" field is displayed adjacent to the custom field configured in step 4.
Example 4 - Recursive Descent
OBJECTIVE – Demonstrate the use of recursive descent to extract the "target" field from the ingested JSON payload.
Navigate to the Fetch Event command of the Zendesk integration.
Click on the Set Up Event Field Extraction Mapping button.
Note the Main Event JSONPath expression (i.e., root context).
Select the Event Source for Organization option within the dropdown, then add a new field with any of the following sample source field values: SAMPLE 1
CODE
..target
SAMPLE 2
CODE
..layer5.target
SAMPLE 3
CODE
.demo_key..target
SAMPLE 4
CODE
..layer2..target
Enable webhook authentication, then select the API Key option.
Copy the request information to Postman, then select a preprocessing playbook under the Additional Settings accordion.
Send the POST request on Postman.
Verify that an event was created in the Data Ingestion module.
Note the eventId number.
Navigate to the Investigation Dashboard page.
Select the site in which the API key was generated in step 6.
Locate the event with an ID matching the one observed in step 10, then click on the event to view its details.
Verify that the value extraction for the "target" field is displayed adjacent to the custom field configured in step 4.
Example 5 - Filter Expression
OBJECTIVE – Demonstrate the use of various filter expressions to extract the "target" field from the ingested JSON payload.
🚫
EXPRESSION RESTRICTION
Fields above the level of the filtered array item cannot be retrieved. INVALID EXAMPLES 🚫 ..[?(@.target == 'value A2')].name 🚫 ..[?(@.target == 'value A2')].notes 🚫 ..[?(@.target == 'value A2')].group_id
Navigate to the Fetch Event command of the Zendesk integration.
Click on the Set Up Event Field Extraction Mapping button.
Note the Main Event JSONPath expression (i.e., root context).
Select the Event Source for Organization option within the dropdown, then add seven fields with the following source field values: DEMO FIELD 1(returns an object)
CODE
..[?(@.target == 'demo value 133')]
DEMO FIELD 2
CODE
..[?(@.target == 'demo value 133')].target
DEMO FIELD 3(returns an object with nested objects)
CODE
..[?(@['layer4'].layer5['target'] == 'demo value 133')]
Copy the request information to Postman, then select a preprocessing playbook under the Additional Settings accordion.
Send the POST request on Postman.
Verify that an event was created in the Data Ingestion module.
Note the eventId number.
Navigate to the Investigation Dashboard page.
Select the site in which the API key was generated in step 6.
Locate the event with an ID matching the one observed in step 10, then click on the event to view its details.
Verify that the value extraction for the "target" field is displayed adjacent to the custom field configured in step 4.
FAQ
Where can users configure the Main Event JSONPath expression?
The Main Event JSON Path, configured in (Default Event Source) > Edit Event Source,defines the root context from which individual source fields are resolved.
Why does the user receive an "Invalid JSON path expression" message?
Possible syntax errors include:
Unmatched brackets
Example error: ..[?(@.group_id==133]
Should be: ..[?(@.group_id==133)]
Missing or incorrect use of quotes
Example error: ..[?(@.name==org 133)]
Should be: ..[?(@.name=='org 133')]
Incorrect logical operator syntax
Example error: ..[?(@.group_id=133)]
Should be: ..[?(@.group_id==133)]
Trailing or misplaced dots
Example error: .name.
Should be: .name
Incorrect recursive descent placement
Example error: [..target]
Should be: ..target
Missing Square Filter Brackets
Example error: ..?(@.group_id==133)
Should be: ..[?(@.group_id==133)]
Why does the user not see their custom fields in the Event Details popover?
Possible reasons (in reference to the sample payload) include:
Absent source field in ingested data
Example error: ..non_existent_field
Sample fix: ..target
Source field points to a null, empty string, empty object, or empty array
Example error: .external_id (a null value)
Incorrect assumption of square-bracket prefix when the Main Event JSONPath is an array
Example error: [*]..target
Sample fix: ..target
Incorrect path context
Example error: ..[?(@.group_id)].target
The target field is a not direct child of the object containing group_id
Sample fix: ..[?(@.group_id)]..target
Incorrect application of filter
The filter expression [?()] applies to only arrays, not single objects.
Example error: ..layer4[?(@.target=='demo value 133')]
This expression applies a filter to layer4, which is an object, not an array.
Sample fix: ..layer4.layer5.target
What does extracting targets at every depth using recursive descent mean?