Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to convert an event into JSON?

kcepull2
Path Finder
‎05-11-2017 09:34 AM

[Not really a question, but wanted to document and share with the community...]

So, I had a customer that liked how JSON events showed up in the Events tab on the Search screen (e.g. colored format, collapse/expand). He wanted events that weren't JSON to show up this way, too! (I tried to explain that wasn't the purpose of this screen, but it was an interesting exercise, so what the heck....)

Here's what I came up with that will take any event, and format it as JSON so the Splunkweb JSON parser will kick in.

your search here
| foreach * 
    [eval jsonmv_ = mvappend(jsonmv_,"\"<<MATCHSTR>>\":\"" + <<FIELD>> + "\"")] 
| eval _raw = "{" + mvjoin(jsonmv_,",") + "}" 
| fields - jsonmv_

The resulting event(s) will be in JSON format, and will display with colors, etc. in Splunkweb.

NOTE: This is a VERY inefficient thing to do! You are basically having Splunk parse the event into fields (field extractions), then munging all those field back together into a JSON-formatted string, THEN having Splunk parse the JSON back into fields.

Like I said - an interesting exercise to see if it was possible, but not very useful in a production situation.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kcepull2
Path Finder
‎05-11-2017 11:32 AM

Here's what I came up with that will take any event, and format it as JSON so the Splunkweb JSON parser will kick in.

 your search here
 | foreach * 
     [eval jsonmv_ = mvappend(jsonmv_,"\"<<MATCHSTR>>\":\"" + <<FIELD>> + "\"")] 
 | eval _raw = "{" + mvjoin(jsonmv_,",") + "}" 
 | fields - jsonmv_

View solution in original post

Reply
Solved! Jump to solution
Solution

kcepull2
Path Finder
‎05-11-2017 11:32 AM

Here's what I came up with that will take any event, and format it as JSON so the Splunkweb JSON parser will kick in.

 your search here
 | foreach * 
     [eval jsonmv_ = mvappend(jsonmv_,"\"<<MATCHSTR>>\":\"" + <<FIELD>> + "\"")] 
 | eval _raw = "{" + mvjoin(jsonmv_,",") + "}" 
 | fields - jsonmv_
Reply
Solved! Jump to solution

damode1
Path Finder
‎05-21-2023 05:40 PM

getting below error when I tried your spl

Failed to parse templatized search for field 'tag::eventtype'
0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎05-11-2017 09:41 AM

Hello @kcepull2 - Thank you for sharing this question and providing a solution. Do you think you can put the solution as an answer below so it can be Accepted? That way this question doesn't look like its unanswered forever? Thanks in advance!

0 Karma
Reply
Solved! Jump to solution

kcepull2
Path Finder
‎05-11-2017 11:32 AM

Sure! Thanks for the suggestion. 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...