Getting Data In

How do I get json_cols instead of json_rows in my reporting command?

bojanjanisch
New Member

Hey everyone,

I'm currently writing a custom search command for some reporting and I'm struggling with the result format that I get. Usually you get an array of json events that can be used for streaming commands, however what I need is an array of columns, where each element contains all values from a column of the resultset.

I know that in Splunk's internal libraries there is a function called "setFetchOptions()" which is also used by some visualizations to gather the results in a column array instead of row array, however I couldn't find an implementation of it directly.

from pdfgen_endpoint.py, line 698:
view.getSearchJobObj().setFetchOptions(output_mode="json_cols", time_format=pt.TIME_RAW_FORMAT)
results = view.getSearchJobResults()

I know that I can create this column array manually by iterating over the resultset like this:
data = list()
for key in results[0].keys():
column = list()
for r in results:
column.append(r[key])
data.append(column)

However I thought that maybe someone knows a more convenient, so to say: Splunk way of doing it.

0 Karma

bojanjanisch
New Member

Better format of code:

view.getSearchJobObj().setFetchOptions(output_mode="json_cols", time_format=pt.TIME_RAW_FORMAT)
results = view.getSearchJobResults()

and

data = list()
for key in results[0].keys():
column = list()
for r in results:
column.append(r[key])
data.append(column)

Sorry for this comment, I couldn't find an option to edit it anymore.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...