Exploring and Analyzing Data in JSON Files on Data Lake Volumes

1. Introduction to Data Lakes and JSON Data

1.1 What is a Data Lake

The data lake is an important component of the Lakehouse, allowing you to store all structured and unstructured data in its original format without needing to define a schema upfront. This fully embodies the advantages of lakehouse unification, extending Lakehouse data management to the unified management of unstructured data, no longer limited to structured data management within the data warehouse. This flexibility makes it an ideal choice for big data analysis, as you can use different analysis methods and tools to process data as needed. A data lake typically consists of the following parts:

  • Storage Layer: Such as object storage (S3, OSS, COS, etc.)
  • Metadata Management: Used for organizing and discovering data
  • Processing Engine: Used for analyzing and transforming data

1.2 Volumes in the Data Lake

In modern data platforms like the Lakehouse, a Volume is an abstraction that represents a specific location in an external storage system (e.g., a path in object storage). Volumes allow the data platform to seamlessly access data stored in external systems without actually copying or moving that data.

Key features of Volumes:

  • Direct connection to external storage systems
  • Allows in-place querying without ETL
  • Supports multiple file formats (JSON, CSV, Parquet, etc.)
  • Can integrate with tables, providing SQL access capabilities

1.3 JSON Data Format

JSON (JavaScript Object Notation) is a lightweight data interchange format with the following features:

  • Semi-Structured: Flexible key-value pair structure
  • Nesting Capability: Supports complex hierarchical structures and arrays
  • Broad Support: Almost all programming languages provide JSON parsing support
  • Human Readable: Easier to understand compared to binary formats

In the big data domain, JSON is widely used for storing event data, API responses, log files, etc. Its flexibility makes it ideal for storing data with varying shapes.

2. Case Study: GitHub Event Data

2.1 Dataset Overview

GitHub event data is a publicly available dataset recording the time series of all public activities on the GitHub platform. In this case study, we analyze GitHub event data stored in the gh_archive Volume.

Data Source Details:

  • Volume Name: gh_archive
  • File Path: 2025-05-14-0.json.gz (representing events from the 00:00-01:00 period on May 14, 2025)
  • File Format: Compressed JSON file (using gzip compression)
  • Data Volume: A single file is approximately 85.6 MB (compressed), containing nearly 200,000 event records

Data Structure: Each record contains the following main fields:

  • id: Unique event identifier
  • type: Event type (e.g., PushEvent, PullRequestEvent, etc.)
  • actor: Information about the user who performed the action
  • repo: Information about the related code repository
  • org: Information about the related organization (if applicable)
  • payload: Detailed event information (varies by event type)
  • created_at: Event creation time
  • public: Whether the event is public

3. Data Lake Exploration and Analysis via SQL

3.1 Directly Querying JSON Files

The Lakehouse data lake platform allows direct SQL queries on files stored on Volumes, without needing to load them into tables first:

-- Analyze event type distribution
SELECT type, COUNT(*) as count 
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
GROUP BY type
ORDER BY count DESC

Query Result:

type                         count
----------------------------  ------
PushEvent                     131341
CreateEvent                   21700
PullRequestEvent              12537
IssueCommentEvent             7807
WatchEvent                    7196
DeleteEvent                   4832
PullRequestReviewEvent        3571
IssuesEvent                   3569
PullRequestReviewCommentEvent 2362
ForkEvent                     1537
ReleaseEvent                  1261
...

Features:

  • Zero ETL: No need to extract, transform, and load data beforehand
  • Flexible Access: Direct access to nested fields
  • Ad-Hoc Queries: Support for immediate data exploration

3.2 Handling Nested and Complex JSON Structures

JSON data often contains nested objects and arrays. SQL provides direct access to these complex structures:

-- Analyze file operation type distribution in PushEvent commits
SELECT 
  CASE 
    WHEN LOWER(payload.commits[0].message) LIKE '%add%' THEN 'Add'
    WHEN LOWER(payload.commits[0].message) LIKE '%fix%' THEN 'Fix'
    WHEN LOWER(payload.commits[0].message) LIKE '%update%' THEN 'Update'
    WHEN LOWER(payload.commits[0].message) LIKE '%remove%' OR LOWER(payload.commits[0].message) LIKE '%delete%' THEN 'Remove'
    WHEN LOWER(payload.commits[0].message) LIKE '%refactor%' THEN 'Refactor'
    WHEN LOWER(payload.commits[0].message) LIKE '%deploy%' THEN 'Deploy'
    WHEN LOWER(payload.commits[0].message) LIKE '%test%' THEN 'Test'
    WHEN LOWER(payload.commits[0].message) LIKE '%doc%' THEN 'Documentation'
    ELSE 'Other'
  END as commit_type,
  COUNT(*) as count,
  ROUND(COUNT(*) * 100.0 / SUM(COUNT(*)) OVER (), 2) as percentage
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
WHERE type = 'PushEvent' 
  AND payload.commits IS NOT NULL 
  AND SIZE(payload.commits) > 0
GROUP BY commit_type
ORDER BY count DESC

Query Result:

commit_type    count   percentage
------------   ------  ----------
Other          46901   35.75
Update         42211   32.17
Deploy         17513   13.35
Add            11775   8.97
Fix            5027    3.83
Test           3389    2.58
Remove         3174    2.42
Documentation  637     0.49
Refactor       575     0.44

Features:

  • Path Navigation: Use dot notation to access nested objects
  • Array Indexing: Use square brackets to access array elements
  • Array Functions: Use functions like SIZE() to handle arrays
  • Conditional Analysis: Use CASE statements for classification and pattern recognition

3.3 Using JSON Paths to Access Deeply Nested Data

Path expressions can be used to deeply access multi-level nested structures in JSON documents:

-- Analyze branch information in PR events
SELECT 
  payload.pull_request.base.ref as base_branch,
  payload.pull_request.head.ref as head_branch,
  COUNT(*) as count
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
WHERE type = 'PullRequestEvent'
  AND payload.action = 'opened'
  AND payload.pull_request.base.ref IS NOT NULL
  AND payload.pull_request.head.ref IS NOT NULL
GROUP BY base_branch, head_branch
ORDER BY count DESC
LIMIT 15

Query Result:

base_branch   head_branch                                               count
------------  --------------------------------------------------------  -----
main          main                                                      508
master        master                                                    499
main          dependabot/bundler/kamal-2.6.0                            93
main          develop                                                   72
main          dev                                                       63
main          github-actions/upgrade-dev-deps-main                      35
dev           dev                                                       27
main          github-actions/upgrade-main                               26
main          prBranch                                                  25
develop       develop                                                   20
main          test                                                      20
...

3.4 Complex Conditional Filtering and Regular Expressions

Use regular expressions and complex condition combinations to filter JSON data:

-- Find PRs created by bot accounts and analyze target repositories
SELECT 
  REGEXP_EXTRACT(actor.login, '(.*?)\\[bot\\]') as bot_name,
  repo.name as target_repo,
  COUNT(*) as pr_count
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
WHERE 
  type = 'PullRequestEvent' 
  AND payload.action = 'opened'
  AND actor.login LIKE '%[bot]'
GROUP BY bot_name, target_repo
HAVING pr_count > 5
ORDER BY pr_count DESC
LIMIT 15

Query Result:

bot_name        target_repo                                       pr_count
--------------  ------------------------------------------------  --------
dependabot      GolfredoPerezFernandez/nodo-blockchain-blockscout  12
renovate        gAmUssA/flink-java-flights                         12
github-actions  hofferkristof/laravel-lang                         12
dependabot      j4v3l/tapo-exporter                                11
dependabot      Sudhanshu-Ambastha/GPT-3-webapp-in-reactjs         10
dependabot      jamespurnama1/new-portfolio                        10
github-actions  zzllbj/lang                                        9
...

3.5 Advanced Aggregation and Conditional Statistics

Use conditional aggregation to simultaneously analyze multiple metrics:

-- Analyze repository activity: Calculate the number of different event types per repository
SELECT
  repo.name,
  COUNT(DISTINCT actor.id) as unique_contributors,
  SUM(CASE WHEN type = 'PushEvent' THEN 1 ELSE 0 END) as push_count,
  SUM(CASE WHEN type = 'PullRequestEvent' THEN 1 ELSE 0 END) as pr_count,
  SUM(CASE WHEN type = 'IssueEvent' THEN 1 ELSE 0 END) as issue_count,
  SUM(CASE WHEN type = 'WatchEvent' THEN 1 ELSE 0 END) as watch_count,
  SUM(CASE WHEN type = 'ForkEvent' THEN 1 ELSE 0 END) as fork_count,
  COUNT(*) as total_events
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
GROUP BY repo.name
HAVING total_events > 100
ORDER BY total_events DESC
LIMIT 10

Query Result:

repo.name                    unique_contributors  push_count  pr_count  issue_count  watch_count  fork_count  total_events
--------------------------   -------------------  ----------  --------  -----------  -----------  ----------  ------------
samgrover/mb-archive         1                    1289        0         0            0            0           1289
chrisxero/bitdepth-microblog 1                    1087        0         0            0            0           1087
iniadittt/iniadittt          1                    877         0         0            0            0           877
0xios/news-momentum-1        1                    730         0         0            0            0           730
JamyJones/Pastebin           1                    636         0         0            0            0           636
SoliSpirit/proxy-list        1                    586         0         0            0            0           586
...

3.6 Window Function Analysis

Use window functions for more complex ranking and grouping analysis:

-- Window function analysis: Calculate the most active users within each organization
SELECT
  org_login,
  username,
  event_count,
  rank_in_org
FROM (
  SELECT
    org.login as org_login,
    actor.login as username,
    COUNT(*) as event_count,
    RANK() OVER (PARTITION BY org.login ORDER BY COUNT(*) DESC) as rank_in_org
  FROM VOLUME gh_archive
  USING json
  OPTIONS('compression'='gzip')
  FILES('2025-05-14-0.json.gz')
  WHERE org.login IS NOT NULL
  GROUP BY org_login, username
) t
WHERE rank_in_org <= 3 AND org_login IN (
  SELECT org.login
  FROM VOLUME gh_archive
  USING json
  OPTIONS('compression'='gzip')
  FILES('2025-05-14-0.json.gz')
  WHERE org.login IS NOT NULL
  GROUP BY org.login
  ORDER BY COUNT(*) DESC
  LIMIT 5
)
ORDER BY org_login, rank_in_org

Query Result:

org_login                  username                            event_count  rank_in_org
-------------------------  ----------------------------------  -----------  -----------
blueprint-house            ChineeWetto                         559          1
curseforge-mirror          github-actions[bot]                 525          1
flyteorg                   github-actions[bot]                 444          1
flyteorg                   flyte-bot                           1            2
microsoft                  wingetbot                           67           1
microsoft                  microsoft-github-policy-service[bot] 57          2
microsoft                  jstarks                             29           3
static-web-apps-testing-org swa-runner-app[bot]                2178         1
static-web-apps-testing-org mkarmark                           164          2
static-web-apps-testing-org github-actions[bot]                28           3

3.7 Text Analysis and Time Processing

Use string functions and time functions to analyze time patterns in JSON data:

-- Verify the relationship between event type and hourly activity
SELECT 
  SUBSTR(created_at, 12, 2) as hour_of_day,
  type,
  COUNT(*) as event_count
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
GROUP BY hour_of_day, type
ORDER BY hour_of_day, event_count DESC

Query Result:

hour_of_day  type                         event_count
-----------  ---------------------------  -----------
00           PushEvent                    131341
00           CreateEvent                  21700
00           PullRequestEvent             12537
00           IssueCommentEvent            7807
00           WatchEvent                   7196
...

3.8 Analyzing PR Merge Patterns

Analyze Pull Request merge trends:

-- Analyze PR merge trends: View PRs from creation to merging
SELECT 
  SUBSTRING(payload.pull_request.merged_at, 1, 10) as merge_date,
  COUNT(*) as merged_prs
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
WHERE 
  type = 'PullRequestEvent' 
  AND payload.action = 'closed' 
  AND payload.pull_request.merged = true
  AND payload.pull_request.merged_at IS NOT NULL
GROUP BY merge_date
ORDER BY merge_date

Query Result:

merge_date  merged_prs
----------  ----------
2025-05-13  3
2025-05-14  4448

3.9 Loading File Data into Tables for Further Analysis

For data that needs repeated analysis, creating tables can improve query performance:

CREATE TABLE github_events AS
SELECT 
  id,
  type,
  actor.login as actor_name,
  actor.id as actor_id,
  repo.name as repo_name,
  repo.id as repo_id,
  org.login as org_name,
  created_at,
  public,
  payload
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')

Advantages:

  • Improved Performance: Tables can use indexes and caching to speed up queries
  • Data Transformation: Transformations and column renaming can be applied during loading
  • Persistent Access: Create persistent views to avoid repeated parsing of raw data

4. Key Technical Features of Data Lake Analysis

4.1 Schema Flexibility

A core advantage of data lake analysis is schema flexibility:

  • Schema-on-Read: Data structure only needs to be defined at query time
  • Partial Field Access: Only query needed fields, ignoring others
  • Evolution Adaptation: As data structures change, queries can easily adapt

For example, in our GitHub event analysis, we can focus only on specific event types or specific fields without processing the entire data structure.

4.2 Computation Pushdown and Filter Optimization

The Lakehouse data lake technology supports computation pushdown, pushing filter and transformation operations to the data source:

-- Example of an efficient filter query
SELECT actor.login, COUNT(*) as event_count
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
WHERE type = 'PushEvent'
GROUP BY actor.login
ORDER BY event_count DESC
LIMIT 10

4.3 Unified Data Access and Format Selection

Apply SQL analysis to different types of data files in the same Volume:

-- 1. Query JSON files
SELECT COUNT(*) FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz');

-- 2. If the Volume has CSV files, similar syntax can be used for querying
-- SELECT * FROM VOLUME volume_name
-- USING csv
-- OPTIONS('header'='true')
-- FILES('data.csv');

4.4 Distributed Processing Capabilities

Data lake analysis engines are typically based on distributed computing frameworks, capable of processing large-scale datasets:

  • Parallel Processing: Automatically decomposes queries into parallel execution tasks
  • Memory Management: Optimizes memory usage, processing data exceeding single-machine memory capacity
  • Fault Tolerance: Handles node failures and recovery

In GitHub event analysis, even though individual files are relatively small, the same queries can scale to analyze TB-level historical event data.

5. Data Analysis Process and Methodology

Through the GitHub event data case study, we can summarize a methodology for analyzing JSON data in a data lake:

5.1 Exploratory Data Analysis Process

  1. Initial Preview: Get data samples to understand the overall structure

    SELECT * FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
LIMIT 10

  2. Overview Statistics: Understand data distribution and main dimensions

    SELECT type, COUNT(*) as count 
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
GROUP BY type
ORDER BY count DESC

  3. Deep Analysis: Refined analysis targeting specific domains

    SELECT 
  actor.login as username, 
  COUNT(*) as event_count
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
GROUP BY username
ORDER BY event_count DESC
LIMIT 15

  4. Correlation Analysis: Cross-analysis connecting multiple dimensions

    SELECT 
  org.login as organization,
  type,
  COUNT(*) as event_count
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
WHERE org.login IS NOT NULL
GROUP BY organization, type
ORDER BY organization, event_count DESC
LIMIT 20

5.2 Data Insight Methods

In the GitHub event analysis, we discovered several key insights:

  1. Activity Distribution: Understanding the proportion of different event types, discovering that Push events dominate (66%)
  2. Automation Trends: Through user activity analysis, discovering that automated bot accounts (such as github-actions[bot]) contribute a large amount of activity
  3. Organizational Ecosystem: Identifying the most active organizations, understanding the composition of the GitHub ecosystem
  4. Development Behavior: Through commit message analysis, understanding developers' work patterns and focus areas
  5. Branch Usage Patterns: main and master are still the most common target branch names
  6. Bot Activity: dependabot, renovate, and github-actions are the most active automation bots

These insights come directly from SQL queries, demonstrating the powerful capability of SQL as a data analysis tool.

6. Best Practices and Optimization Tips

6.1 JSON Data Analysis Optimization

  • Selective Field Reading: Only select the fields needed for analysis

    -- Only read necessary fields instead of all fields
SELECT 
  type, 
  actor.login, 
  repo.name
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
LIMIT 10

  • Predicate Pushdown: Apply filter conditions as early as possible in the query

  • Predicate Pushdown: Filter conditions (WHERE type = 'PushEvent') are pushed down to the storage layer, leveraging columnar statistics (such as max/min/bloom filters) to skip data blocks that clearly don't match.

  • Column Pruning: Only read relevant columns (actor.login and type), skipping parsing of unrelated fields.

  • Filter Optimization: After the storage layer loads data in blocks, further filter out non-matching records in memory, ultimately retaining only valid data for computation.

    -- Filter data early to reduce processing volume
SELECT COUNT(*) 
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
WHERE type = 'PushEvent'

  • Properly Handle NULL Values: Use IS NULL and IS NOT NULL to check for missing fields

    -- Identify and handle missing data
SELECT 
  type,
  COUNT(*) as total_count,
  SUM(CASE WHEN org.login IS NULL THEN 1 ELSE 0 END) as without_org,
  SUM(CASE WHEN org.login IS NOT NULL THEN 1 ELSE 0 END) as with_org
FROM VOLUME gh_archive
USING json
OPTIONS('compression'='gzip')
FILES('2025-05-14-0.json.gz')
GROUP BY type
ORDER BY total_count DESC

6.2 Data Lake Query Best Practices

  1. Avoid Full Table Scans: Use filter conditions whenever possible
  2. Use Aggregation Wisely: When data volume is large, prioritize distributed aggregation
  3. Selective Projection: Only select necessary columns to reduce I/O and memory usage
  4. Appropriate Data Transformation: For frequently queried data, consider converting to more efficient formats
  5. Leverage Data Partitioning: Logical partitioning based on file names or paths
  6. Pay Attention to Error Handling: Handle JSON parsing errors and type conversion issues

7. Summary

Key features of data lake exploration and analysis through SQL:

  1. No ETL Needed: Directly query raw data, reducing data preparation time
  2. Flexibility: Adapts to semi-structured data without predefined schemas
  3. Ease of Use: Uses familiar SQL syntax, lowering the learning curve
  4. Scalability: Handles data from GB to PB levels
  5. Unified Access: The same interface handles multiple data formats
  6. Exploration-Friendly: Supports iterative data exploration processes
  7. Performance Optimization: Provides various optimization techniques and strategies

SQL analysis on the data lake combines the ease of use of traditional SQL with the flexibility and scalability of big data processing, making it a powerful tool for modern data analysis. Through the GitHub event data analysis case study in this article, we demonstrated how to use SQL to directly query and analyze JSON files stored on data lake Volumes, quickly obtaining valuable data insights.

References

JSON Data Type

JSON Functions External Volume

Data Processing and Analysis Using Virtual Cluster
Discover and Analyze Data in Parquet Files on External Volume
Singdata © 2024 Singdata, Inc. All Rights Reserved.