Skip to main content
Panther Knowledge Base

How do I use a nested JSON field as Lookup Table selector in Panther?

QUESTION

 How do I add a nested JSON field as the selector for an associated log type when setting up a lookup table?

ANSWER

 Using the following JSON object as an example, use JSONPath syntax; either dot notation, bracket notation, or a combination, as shown below.

{
  "store": {
    "book": [
      "book0": {
        "title": "Book Title 0"
        "numPages": 25
      }
      "book1": {
        "title": "Book Title 1"
        "numPages": 30
      }
    ]
  }
}

$.store.book[0].title returns the title of the zeroth book in the store, using dot notation.

$['store']['book'][0]['title'] does the same thing using bracket notation.

$['store'].book[0].title combines the styles and yields the same result.