How to display JSON tree structure in a summary index without output_mode=hec?

LearningGuy — Tue, 22 Apr 2025 02:10:27 GMT

Hello,

How to display JSON tree structure in a summary index without output_mode=hec?

I am not a Splunk admin. So, the only way I created summary index was using a Splunk report. I then enabled "Schedule Report" and "Summary Indexing". When the report ran, it appended the search query with the "| summaryindex" syntax. (See the screenshot below showing the steps). The summary index query is: index=summary report=test_1 (the report field is to differentiate with the other users)

I tried | collect index=summary name=test_1 output_mode=hec, the result DID NOT show up in the summary index

I tried | collect index=summary marker="hostname=\"https://a1.test.com/\",report=\"test_1\"", the result DID show up in the summary index, but without JSON tree structure

I tried | collect index=summary marker="hostname=\"https://a1.test.com/\",report=\"test_1\"" output_mode=hec, I received an "invalid argument". This is likely because marker parameter is not compatible with output_mode=hec. I believe only output_mode raw is allowed.

However, I accidentally and successfully created a summary index and displayed it as a JSON tree structure by accident. I don't know what I did.

Please suggest. Thank you so much

Step to create summary index
1) Created a Splunk Report, edited the search, and enabled schedule

2) Enabled summary indexing

After the report Ran, it added | summaryindex syntax

Here's the Search query

| windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"

The search result using "List"

When I clicked show syntax highlighted, it showed JSON tree structure
Expected result

Re: How to display JSON tree structure in a summary index without output_mode=hec?

livehybrid — Tue, 22 Apr 2025 09:12:37 GMT

Hi @LearningGuy

If you are wanting to collect the data into a "summary" index then you do not have to use the method which appends the "summaryindex" command if this doesnt do what you need it to do.

Instead just create your search as you did with the collect command (with output mode to HEC) and then schedule the report to run at the relevant interval.

Check out Manually configure a report to populate a summary index in the summary indexing docs.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

topic How to display JSON tree structure in a summary index without output_mode=hec? in Splunk Search

How to display JSON tree structure in a summary index without output_mode=hec?

Re: How to display JSON tree structure in a summary index without output_mode=hec?