Why do I get NULL results when querying fields under the payload column in the classification_failures table in Panther?

Last updated: September 3, 2024

Issue

When trying to query for specific fields under the payload column in the classification_failures table, I get NULL results.

Answer

To resolve the NULL results, you can use the PARSE JSON() function in your query.

For example, if you are looking to extract only the AlarmName for apayload value similar to{"AlarmName":"my-alarm-value","AlarmDescription"...} you can run:

SELECT PARSE_JSON(payload):AlarmName
FROM
panther_monitor.public.classification_failures
WHERE payload LIKE '%AlarmName%'
LIMIT 10;

Make sure to include a WHERE statement in your query.