> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tracecat.com/llms.txt
> Use this file to discover all available pages before exploring further.

# JSONPath

> Quick reference for JSONPath syntax, filters, and access patterns used in Tracecat expressions to read fields from triggers, actions, secrets, and variables.

## Filter patterns

Equality:

<CodeGroup>
  ```yaml Expression theme={null}
  high_alerts: ${{ TRIGGER.alerts[?(@.severity == "high")] }}
  open_findings: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")] }}
  ```

  ```json Result theme={null}
  {
    "high_alerts": [{"id": "al-1", "severity": "high"}],
    "open_findings": [{"id": "f-1", "status": "open"}]
  }
  ```
</CodeGroup>

Inequality:

<CodeGroup>
  ```yaml Expression theme={null}
  secondary_roles: ${{ ACTIONS.parse_event.result.included[?(@.attributes.incident_role.data.attributes.slug != "primary-role")] }}
  ```

  ```json Result theme={null}
  {
    "secondary_roles": [
      {
        "attributes": {
          "incident_role": {
            "data": {
              "attributes": {
                "slug": "secondary-role"
              }
            }
          }
        }
      }
    ]
  }
  ```
</CodeGroup>

Numeric comparison:

<CodeGroup>
  ```yaml Expression theme={null}
  critical_scores: ${{ ACTIONS.lookup_users.result.users[?(@.score >= 90)] }}
  recent_events: ${{ TRIGGER.events[?(@.count > 10)] }}
  ```

  ```json Result theme={null}
  {
    "critical_scores": [{"name": "Alice", "score": 96}],
    "recent_events": [{"id": "evt-1", "count": 14}]
  }
  ```
</CodeGroup>

Truthy field check:

<CodeGroup>
  ```yaml Expression theme={null}
  users_with_email: ${{ ACTIONS.lookup_users.result.users[?(@.email)] }}
  alerts_with_owner: ${{ TRIGGER.alerts[?(@.owner)] }}
  ```

  ```json Result theme={null}
  {
    "users_with_email": [{"name": "Alice", "email": "alice@example.com"}],
    "alerts_with_owner": [{"id": "al-1", "owner": "secops"}]
  }
  ```
</CodeGroup>

String matching by exact value:

<CodeGroup>
  ```yaml Expression theme={null}
  prod_hosts: ${{ ACTIONS.inventory.result.hosts[?(@.environment == "prod")] }}
  linux_hosts: ${{ ACTIONS.inventory.result.hosts[?(@.os == "linux")] }}
  ```

  ```json Result theme={null}
  {
    "prod_hosts": [{"hostname": "api-1", "environment": "prod"}],
    "linux_hosts": [{"hostname": "api-1", "os": "linux"}, {"hostname": "worker-1", "os": "linux"}]
  }
  ```
</CodeGroup>

Nested field checks:

<CodeGroup>
  ```yaml Expression theme={null}
  owned_devices: ${{ TRIGGER.assets[?(@.owner.name == "SecOps")] }}
  resolved_cases: ${{ ACTIONS.search_cases.result.items[?(@.status.name == "resolved")] }}
  ```

  ```json Result theme={null}
  {
    "owned_devices": [{"id": "dev-1", "owner": {"name": "SecOps"}}],
    "resolved_cases": [{"id": "case-2", "status": {"name": "resolved"}}]
  }
  ```
</CodeGroup>

Filter and project a nested field:

<CodeGroup>
  ```yaml Expression theme={null}
  role_slugs: ${{ ACTIONS.parse_event.result.included[?(@.attributes.incident_role.data.attributes.slug)].attributes.incident_role.data.attributes.slug }}
  ```

  ```json Result theme={null}
  {
    "role_slugs": ["primary-role", "secondary-role"]
  }
  ```
</CodeGroup>

Filter and return one field from matching rows:

<CodeGroup>
  ```yaml Expression theme={null}
  open_ids: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")].id }}
  ```

  ```json Result theme={null}
  {
    "open_ids": ["f-1", "f-3"]
  }
  ```
</CodeGroup>

## Return behavior

* Single matches return a scalar.
* Wildcards return a list.
* Filters return a list.
* Non-existent fields return `None` (no error is raised).

Examples:

<CodeGroup>
  ```yaml Expression theme={null}
  name: ${{ TRIGGER.user.name }}
  ```

  ```json Result theme={null}
  {
    "name": "Alice"
  }
  ```
</CodeGroup>

<CodeGroup>
  ```yaml Expression theme={null}
  names: ${{ TRIGGER.users[*].name }}
  ```

  ```json Result theme={null}
  {
    "names": ["Alice", "Bob", "Carol"]
  }
  ```
</CodeGroup>

## Examples

Trigger data:

<CodeGroup>
  ```yaml Expression theme={null}
  email: ${{ TRIGGER.user.email }}
  ```

  ```json Result theme={null}
  {
    "email": "alice@example.com"
  }
  ```
</CodeGroup>

Action result:

<CodeGroup>
  ```yaml Expression theme={null}
  ticket_id: ${{ ACTIONS.create_ticket.result.id }}
  ```

  ```json Result theme={null}
  {
    "ticket_id": "T-123"
  }
  ```
</CodeGroup>

Array item:

<CodeGroup>
  ```yaml Expression theme={null}
  first_tag: ${{ ACTIONS.lookup_tags.result.tags[0] }}
  ```

  ```json Result theme={null}
  {
    "first_tag": "malware"
  }
  ```
</CodeGroup>

Wildcard:

<CodeGroup>
  ```yaml Expression theme={null}
  tag_names: ${{ ACTIONS.lookup_tags.result.tags[*] }}
  ```

  ```json Result theme={null}
  {
    "tag_names": ["malware", "phishing", "credential-access"]
  }
  ```
</CodeGroup>

Filter:

<CodeGroup>
  ```yaml Expression theme={null}
  open_findings: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")] }}
  ```

  ```json Result theme={null}
  {
    "open_findings": [{"id": "f-1", "status": "open"}, {"id": "f-3", "status": "open"}]
  }
  ```
</CodeGroup>

Filter and project:

<CodeGroup>
  ```yaml Expression theme={null}
  open_titles: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")].title }}
  ```

  ```json Result theme={null}
  {
    "open_titles": ["Suspicious login", "Impossible travel"]
  }
  ```
</CodeGroup>

## Related pages

* See [JSONPath](/automations/core-concepts/jsonpath) for core concepts and syntax.
* See [Expressions](/automations/core-concepts/expressions) for expression syntax and contexts.
* See [Functions](/automations/core-concepts/functions) for helper functions you can use alongside JSONPath access.