jq Command Line Reference

Reference

JQ Reference

JSON Data

{"Records":[{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIKZBKHVPCNMTX2M7Y:al-cloud_explorer","arn":"arn:aws:sts::056128891991:assumed-role/alertlogic-iam-role-cd-ful-ALIamRolecdfull20160426-1JFOEMVG88FOK/al-cloud_explorer","accountId":"056128891991","accessKeyId":"ASIAQ2EMK5RLS4OHRA4A","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-03-01T02:07:20Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIKZBKHVPCNMTX2M7Y","arn":"arn:aws:iam::056128891991:role/alertlogic-iam-role-cd-ful-ALIamRolecdfull20160426-1JFOEMVG88FOK","accountId":"056128891991","userName":"alertlogic-iam-role-cd-ful-ALIamRolecdfull20160426-1JFOEMVG88FOK"}}},"eventTime":"2019-03-01T02:07:58Z","eventSource":"elasticloadbalancing.amazonaws.com","eventName":"DescribeLoadBalancers","awsRegion":"ap-northeast-1","sourceIPAddress":"54.84.151.1...............

Remove outer array

jq '.[]

Output:

[
  {
    "eventVersion": "1.05",
    "userIdentity": {
      "type": "AssumedRole",
      "principalId": "AROAIKZBKHVPCNMTX2M7Y:al-cloud_explorer",
      "arn": "arn:aws:sts::056128891991:assumed-role/alertlogic-iam-role-cd-ful-ALIamRolecdfull20160426-1JFOEMVG88FOK/al-cloud_explorer",
      "accountId": "056128891991",

Remove Both outer arrays

jq '.[]|.[]'

Output:

  {
    "eventVersion": "1.05",
    "userIdentity": {
      "type": "AssumedRole",
      "principalId": "AROAIKZBKHVPCNMTX2M7Y:al-cloud_explorer",
      "arn": "arn:aws:sts::056128891991:assumed-role/alertlogic-iam-role-cd-ful-ALIamRolecdfull20160426-1JFOEMVG88FOK/al-cloud_explorer",
      "accountId": "056128891991",

Return the value in the eventSource field

jq '.[] | .[] | .eventSource'

Output:

"elasticloadbalancing.amazonaws.com"
"elasticloadbalancing.amazonaws.com"
"elasticloadbalancing.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"

Return the value in the type field

Query: jq '.[] | .[] | .userIdentity.type'

Output:

"AssumedRole"
"AssumedRole"
"AssumedRole"
"AssumedRole"
"AssumedRole"
"AssumedRole"
"AssumedRole"
"AssumedRole"
"AssumedRole"

Return the value in the eventVersion AND the eventSource field

Query: jq '.[] | .[] | .eventVersion, .eventSource'

Output:

"1.05"
"elasticloadbalancing.amazonaws.com"
"1.05"
"elasticloadbalancing.amazonaws.com"
"1.05"
"elasticloadbalancing.amazonaws.com"
"1.05"
"ec2.amazonaws.com"
"1.05"
"ec2.amazonaws.com"
"1.05"
"ec2.amazonaws.com"

Return objects with the value of elasticloadbalancing.amazonaws.com in the eventSource

Query: jq '.[] | .[] | select(.eventSource=="elasticloadbalancing.amazonaws.com")'

Output:

{
  "eventVersion": "1.05",
  "eventTime": "2019-03-01T02:07:58Z",
  "eventSource": "elasticloadbalancing.amazonaws.com",
  "eventName": "DescribeLoadBalancers",
  "awsRegion": "ap-northeast-1",
  "sourceIPAddress": "54.84.151.179",
  "requestParameters": {
    "pageSize": 400
  }
{
  "eventVersion": "1.05",
  "eventTime": "2019-03-01T02:07:56Z",
  "eventSource": "elasticloadbalancing.amazonaws.com",
  "eventName": "DescribeLoadBalancers",
  "awsRegion": "ap-northeast-1",
  "sourceIPAddress": "54.84.151.179",
  "requestParameters": {
    "pageSize": 400
  }

Return .eventNames from objects with the value of elasticloadbalancing.amazonaws.com OR ec2.amazonaws.com

Query: jq '.[] | .[] | select((.eventSource=="ec2.amazonaws.com") or .eventSource=="elasticloadbalancing.amazonaws.com") | .eventName

Output:

"elasticloadbalancing.amazonaws.com"
"elasticloadbalancing.amazonaws.com"
"elasticloadbalancing.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"
"ec2.amazonaws.com"

Return eventID values from objects where eventSource:elasticloadbalancing.amazonaws.com

Query: jq '.[] | .[] | select(.eventSource=="elasticloadbalancing.amazonaws.com") | .eventID'

Output:

"f8044988-6028-4bd9-8e43-67cb4238a2db"
"ea5ff13a-32da-43be-aad8-1458f03e6e35"
"9e6cceb6-cfd2-49d9-8760-dd61cd1abe93"

Return eventID and accountId values from objects where eventSource:elasticloadbalancing.amazonaws.com

Query: jq '.[] | .[] | select(.eventSource=="elasticloadbalancing.amazonaws.com") | .eventID, .userIdentity.accountId'

Output:

"f8044988-6028-4bd9-8e43-67cb4238a2db"
"056128891991"
"ea5ff13a-32da-43be-aad8-1458f03e6e35"
"056128891991"
"9e6cceb6-cfd2-49d9-8760-dd61cd1abe93"
"056128891991"

Return eventID and accountId (nested) values inside of an array

Query: jq '.[] | .[] | select(.eventSource=="elasticloadbalancing.amazonaws.com") | [.eventID, .userIdentity.accountId]'

Output:

[
  "f8044988-6028-4bd9-8e43-67cb4238a2db",
  "056128891991"
]
[
  "ea5ff13a-32da-43be-aad8-1458f03e6e35",
  "056128891991"
]
[
  "9e6cceb6-cfd2-49d9-8760-dd61cd1abe93",
  "056128891991"
]