I have two json files as below, I am trying to get the event ID from both in bigfix elevance but always fails. Any help would be appreciated.
File 1:
[
{
“EventID”: 1001,
“Server”: “ssss”,
“Message”: “The SNMP Service has started successfully.”,
“Time”: “2025-03-17 08:04:04”
}
]
File 2:
{
"EventID": 6008,
"Server": "sfsfs",
"Message": "The SNMP Service has started successfully.",
"Time": "2025-02-17 08:05:33"
}
Welcome @arunjayaraj
See relevance below for your 1st file, you can use same for your 2nd as well.
Q: preceding text of first "," of following text of first "%22EventID%22: " of line whose (it as lowercase contains "eventid") of file "C:\temp\test.json"
A: 1001
T: 1.220 ms
Please, if you’re asking us to help you with a technical query like this, can you post the snippet using the ‘preformatted text’ format; and validate that your sample data is correct.
Do you really have two different formats of JSON in these files? In your sample ‘File 1’ appears to contain an array of dictionaries, but your sample for ‘File 2’ contains only a single dictionary (no array). If these are two different formats, fine, but if not, we’ll need to know which one to use.
I am running a powershell script to generate a json file with event IDs… So, for some servers, where the result is only 1, I’ll get the file with json object and if there are multiple events, the json file will be an array.
You could always just create an array of a single element though? That would make the relevance the same in both cases.
Otherwise, here are relevance statements for each format - but each throws an error if we try to evaluate it against the other file, and I’m not sure how to trap those errors (that are thrown externally in the JSON libraries)
q: values of keys "EventID" of elements of jsons of file "c:\temp\json\File 1.json"
A: 1001
T: 0.632 ms
I: plural json value
q: values of keys "EventID" of jsons of file "c:\temp\json\File 2.json"
A: 6008
T: 0.309 ms
I: plural json value
Ok, I sorted out the error-handling in Relevance, but it would be far preferable to coerce your JSON into a single format, by having an array of 1 element for one event or an array of zero elements where the event does not exist.
In any case,
q: (values of keys "EventID" of it) of (if (exists keys "EventID" of it | False) then it else if (exists elements of it |False) then elements of it else nothing ) of jsons of files of folders "c:\temp\json"
A: 1001
A: 6008
T: 0.712 ms
I: plural json value
@JasonWalker this approach is entirely different! I have a quick question since this is new to me: Why can’t we use the lines of the file for it? What is the difference between using the values of keys and the lines of the file in terms of relevance?
Both seems doing the same job!
Q: preceding text of first "," of following text of first "%22EventID%22: " of line whose (it as lowercase contains "eventid") of file "C:\temp\testMSIP.json"
A: 1001
T: 5.714 ms
Q: values of keys "EventID" of elements of jsons of file "C:\temp\testMSIP.json"
A: 1001
T: 4.907 ms
Sure, this can be done either way and I love having multiple solutions for any given problem.
When the file is in JSON, XML, or INI format, I prefer to use the native inspectors because they can take advantage of the file structures.
For this example file, each key/value pair are together on a distinct line, but the following JSON fragments are equivalent:
[{"EventID": 1001,"Server": "ssss","Message": "The SNMP Service has started successfully.","Time": "2025-03-17 08:04:04"}]
or
[
{
"EventID":
1001,
"Server":
"ssss",
"Message":
"The SNMP Service has started successfully.",
"Time":
"2025-03-17 08:04:04"
}
]
Using the native inspectors mean we don’t have to change the query if the representation changes.
Thanks @JasonWalker 
Understood!
Hear hear! The beauty of JSON – or any other structured data format – is that it’s structured. Rigor in data is good!
