How do I use a nested JSON field as Lookup Table selector in Panther?
QUESTION
How do I add a nested JSON field as the selector for an associated log type when setting up a lookup table?
ANSWER
Using the following JSON object as an example, use JSONPath syntax; either dot notation, bracket notation, or a combination, as shown below.
{ "store": { "book": [ "book0": { "title": "Book Title 0" "numPages": 25 } "book1": { "title": "Book Title 1" "numPages": 30 } ] } }
$.store.book[0].title
returns the title of the zeroth book in the store, using dot notation.
$['store']['book'][0]['title']
does the same thing using bracket notation.
$['store'].book[0].title
combines the styles and yields the same result.