Skip to content
Cruncher

unpack

unpack

Logs

Extract and flatten fields from a nested object or JSON string in a column.

| unpack <column> 
| unpack payload

The unpack command extracts and flattens fields from a nested object or JSON string in the specified column. For each key in the object or parsed JSON, a new column is created with the name <column>.<key>. This is useful for working with logs or data where fields are embedded as JSON or objects inside a single column.

Note: unpack operates on one column at a time. To unpack multiple columns, chain multiple unpack commands in the pipeline.

Parameters

Section titled “Parameters”
  • <column>: The name of the column to unpack (a single identifier or quoted name).

Usage

Section titled “Usage”
  • Use unpack to flatten nested objects or JSON strings in your data, making each key accessible as its own column.
  • If the column contains a JSON string, it will be parsed and its keys unpacked.
  • If the column is already an object, its keys will be unpacked directly.
  • If the column is not an object or a valid JSON string, an error will be logged and the row will be skipped for that column.
  • To unpack multiple columns, use consecutive unpack commands.

Examples

Section titled “Examples”

Unpack a JSON string in the payload column:

| unpack payload

If payload contains {"user":"alice","ip":"1.2.3.4"}, the result will have new columns: payload.user and payload.ip.

Unpack multiple columns by chaining:

| unpack payload | unpack details

Unpack an object column:

| unpack metadata

If metadata is already an object like {"env":"prod","region":"us-east"}, the result will have: metadata.env, metadata.region.