The following jq expressions may prove helpful to your workflows when using the Run jq Command step. For more expressions, see the jq cheat sheet.
You can use the jq steps to transform a JSON with jq without needing to write any code yourself.
Filter for records
Filter for all records in an array (pulled from Microsoft Graph) that are older than 90 days, based on a field in the record:
group_by(.userPrincipalName) | map(.[] + {"lastSignInDateEpoch":(.[].signInActivity.lastSignInDateTime //empty | fromdateiso8601 as $Epochdate | $Epochdate) }) | .[] | select (.lastSignInDateEpoch < {{ $.get_date.timestamp }} )
Compare arrays based on a common key
[[.[0]+.[1] | group_by(.email)[] ] | .[] |select (length > 1) |add]
Reduce arrays
reduce .[] as $i ({}; .[$i.description] = $i)
Merge data points into an array
.[] | {"event":.,"time": (.timestamp | scan("(.+?)([.][0-9]+)?Z$") | [(.[0] + "Z" | fromdateiso8601), (.[1] // 0 | tonumber)] | add), "index": "{{ $.set_workflow_variables.vars.splunk_index }}", "source": "{{ $.set_workflow_variables.vars.splunk_source }}", "host": "{{ $.set_workflow_variables.vars.splunk_host }}", "sourcetype": "{{ $.set_workflow_variables.vars.splunk_sourcetype }}" }
Delete keys from JSON
Delete a key from a JSON without listing all of the keys:
[.[] | del (.field3)]
Dedupe 5 lists in a single step
Concatenate and dedupe 5 lists in one step:
[.[0]+.[1]+.[2]+.[3]+.[4] ] | add | unique
Workflow
The following workflow provides examples of jq steps using the jq expressions above.