Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

How do I get json_cols instead of json_rows in my reporting command?

bojanjanisch
New Member
โ€Ž07-23-2018 03:39 AM

Hey everyone,

I'm currently writing a custom search command for some reporting and I'm struggling with the result format that I get. Usually you get an array of json events that can be used for streaming commands, however what I need is an array of columns, where each element contains all values from a column of the resultset.

I know that in Splunk's internal libraries there is a function called "setFetchOptions()" which is also used by some visualizations to gather the results in a column array instead of row array, however I couldn't find an implementation of it directly.

from pdfgenendpoint.py, line 698:
`view.getSearchJobObj().setFetchOptions(outputmode="jsoncols", timeformat=pt.TIMERAWFORMAT)
results = view.getSearchJobResults()
`

I know that I can create this column array manually by iterating over the resultset like this:
data = list()
for key in results[0].keys():
column = list()
for r in results:
column.append(r[key])
data.append(column)

However I thought that maybe someone knows a more convenient, so to say: Splunk way of doing it.

0 Karma
Reply

bojanjanisch
New Member
โ€Ž07-23-2018 04:14 AM

Better format of code:

view.getSearchJobObj().setFetchOptions(output_mode="json_cols", time_format=pt.TIME_RAW_FORMAT)
results = view.getSearchJobResults()

and

data = list()
for key in results[0].keys():
column = list()
for r in results:
column.append(r[key])
data.append(column)

Sorry for this comment, I couldn't find an option to edit it anymore.

0 Karma
Reply