https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/288300#M55097 <P>Hello @kcepull2 - Thank you for sharing this question and providing a solution. Do you think you can put the solution as an answer below so it can be Accepted? That way this question doesn't look like its unanswered forever? Thanks in advance!</P> Thu, 11 May 2017 16:41:24 GMT aaraneta_splunk 2017-05-11T16:41:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/288299#M55096 <P>[Not really a question, but wanted to document and share with the community...]</P> <P>So, I had a customer that liked how JSON events showed up in the Events tab on the Search screen (e.g. colored format, collapse/expand). He wanted events that weren't JSON to show up this way, too! (I tried to explain that wasn't the purpose of this screen, but it was an interesting exercise, so what the heck....)</P> <P>Here's what I came up with that will take any event, and format it as JSON so the Splunkweb JSON parser will kick in.</P> <PRE><CODE>your search here | foreach * [eval jsonmv_ = mvappend(jsonmv_,"\"&lt;&lt;MATCHSTR&gt;&gt;\":\"" + &lt;&lt;FIELD&gt;&gt; + "\"")] | eval _raw = "{" + mvjoin(jsonmv_,",") + "}" | fields - jsonmv_ </CODE></PRE> <P>The resulting event(s) will be in JSON format, and will display with colors, etc. in Splunkweb.</P> <P>NOTE: This is a VERY inefficient thing to do! You are basically having Splunk parse the event into fields (field extractions), then munging all those field back together into a JSON-formatted string, THEN having Splunk parse the JSON back into fields.</P> <P>Like I said - an interesting exercise to see if it was possible, but not very useful in a production situation.</P> Mon, 22 May 2023 12:48:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/288299#M55096 kcepull2 2023-05-22T12:48:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/288300#M55097 <P>Hello @kcepull2 - Thank you for sharing this question and providing a solution. Do you think you can put the solution as an answer below so it can be Accepted? That way this question doesn't look like its unanswered forever? Thanks in advance!</P> Thu, 11 May 2017 16:41:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/288300#M55097 aaraneta_splunk 2017-05-11T16:41:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/288301#M55098 <P>Here's what I came up with that will take any event, and format it as JSON so the Splunkweb JSON parser will kick in.</P> <PRE><CODE> your search here | foreach * [eval jsonmv_ = mvappend(jsonmv_,"\"&lt;&lt;MATCHSTR&gt;&gt;\":\"" + &lt;&lt;FIELD&gt;&gt; + "\"")] | eval _raw = "{" + mvjoin(jsonmv_,",") + "}" | fields - jsonmv_ </CODE></PRE> Thu, 11 May 2017 18:32:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/288301#M55098 kcepull2 2017-05-11T18:32:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/288302#M55099 <P>Sure! Thanks for the suggestion. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 11 May 2017 18:32:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/288302#M55099 kcepull2 2017-05-11T18:32:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/644050#M109675 <P>getting below error when I tried your spl</P><LI-CODE lang="markup">Failed to parse templatized search for field 'tag::eventtype'</LI-CODE> Mon, 22 May 2023 00:40:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-an-event-into-JSON/m-p/644050#M109675 damode1 2023-05-22T00:40:56Z