jq Power User Cheatsheet

jq for incident response. The expressions that save time.

Filter

jq is the JSON query language for the command line. Power users move beyond basic field extraction; the cheatsheet captures the advanced patterns that turn jq into a daily tool rather than an occasional one.

• Pipeline filtering. .[] | select(.status == "error") | .id iterates the array, filters to errors, and extracts IDs. Each step composes; the result is targeted rather than scrolled.
• Faster than grep for JSON. JSON-aware filtering is faster and more reliable than grep. grep operates on text and breaks on multi-line records; jq operates on structure and survives reformatting.
• Compound conditions and negation. select(.status == "error" and .severity == "high") filters on multiple fields; select(.status != "success") handles the inverse case. The grammar scales.
• Regex matching. select(.path | test("^/api/")) uses regex. Pattern-based filtering covers the cases where exact matches fall short.

Aggregate

jq supports aggregations. group_by, count, sum, max, min, and unique together produce summary statistics from JSON without leaving the shell.

• Group by. group_by(.service) | map({service: .[0].service, count: length}) groups entries by service and produces a list with each service plus its count. Concise enough for one-liners.
• Aggregations without sed/awk. Traditional Unix tools are awkward for JSON. jq's structured operations are more reliable than text-based aggregation; the operations survive log-format changes.
• Sum, average, extrema. add, length, and divide produce sums and averages; min_by(.field) and max_by(.field) find extrema. Common statistics in two or three operators.
• Unique values. unique_by(.field) deduplicates by a key. Catches duplicate-detection cases that would otherwise need a sort plus uniq pipeline.

Transform

jq transforms data structures. Reshaping, type conversion, and conditional restructuring together cover most data-preparation needs without dropping into Python.

• Object reshape. {a: .x, b: .y | tonumber} creates a new object: field a from .x, field b from .y converted to number. The new structure is targeted to the next step rather than carrying noise forward.
• Pipeable chains. Each transformation is a step in a pipeline. Filter, then transform, then aggregate; each step is bounded, and the readability survives even at four or five operators.
• Type conversions. tostring, tonumber, and fromjson handle type changes inline. Inconsistent data types stop being a blocker.
• Conditional logic. if-then-else expressions handle conditional transformations. Complex logic stays inside the jq expression rather than escaping to a wrapper script.

jq power user cheatsheet is one of those JSON tooling disciplines that compounds across many CLI workflows. Nova AI Ops integrates with API and observability tooling, complementing CLI-driven analysis.