Skip to main content
JSON logs often contain nested objects. Zeal lets you traverse them using dot notation in any field reference. 
zeal 'FROM app.json WHERE request.headers.host = "api.example.com"'

How it works

Given this log entry: 
{
  "timestamp": "2024-01-15T10:30:06Z",
  "level": "error",
  "request": {
    "method": "POST",
    "path": "/api/users",
    "headers": {
      "host": "api.example.com"
    }
  },
  "status": 500
}
You can reference any field at any depth: 
# Top-level field
zeal 'FROM app.json WHERE status = 500'

# One level deep
zeal 'FROM app.json WHERE request.method = "POST"'

# Two levels deep
zeal 'FROM app.json WHERE request.headers.host = "api.example.com"'
All the usual operators work with nested fields: 
# Substring search on a nested field
zeal 'FROM app.json WHERE request.path CONTAINS "/api/users"'

# Combine nested and top-level conditions
zeal 'FROM app.json WHERE request.method = "POST" AND status >= 500'

# Group by a nested field
zeal 'FROM app.json WHERE level = "error" GROUP BY request.method'
Dot notation only applies to JSON-format logs. logfmt and plain text logs have flat field structures — you cannot use dot notation with them.

Build docs developers (and LLMs) love

Get started for freeTalk to us