Getting Data In

How to show raw data instead of formatted data?

TitanAE
New Member

Hey Everyone,

Bit of a weird question. I'm ingesting a large amount of JSON data into Splunk. However in the Search App I want to default display the data as 'show raw text'. It's a business requirement. How can I achieve this with Splunk.

Tags (2)
0 Karma

soumyasaha25
Contributor

the easiest way to achieve this without any major changes is to click on the "list" dropdown and change it to "raw"alt text.

JSON data
Changed to Raw event data
alt text

0 Karma

lakshman239
SplunkTrust
SplunkTrust

I don't think you have define the display as 'Raw' in the search and reporting app. However, user can choose between Raw, List and Table when they search. The other option would be to create a new 'datasets' definition with something like index=yourindex | table _time, _raw and save it with a meaningful report. The users will see the data appearing as '_raw' when they view this.

0 Karma

TitanAE
New Member

Correct. The results are from the search bar. When I search for a specific sourcetype I receive this:

https://imgur.com/a/JgGmLPV

What I want to default to in the search bar is this:

https://imgur.com/a/6825fI8

That way my users, that are familiar with raw data, can easily and quickly search through something they're familiar seeing.

0 Karma

codebuilder
SplunkTrust
SplunkTrust

If I read your question correctly, you want to display the raw data.
It's a bit odd, but easily accomplished:

index=your_index_name | table _raw
----
An upvote would be appreciated and Accept Solution if it helps!

TitanAE
New Member

Sadly this isn't what I want. What I have is formatted Json Data. What I want to do is default the Search and Reporting app's JSON data to just Raw Text. That way all of my users, who are using to seeing raw text, can search through it like normal.

Not a simple thing to accomplish, surprisingly.

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Still a bit confused then. You're ingesting formatted JSON, and want to display it as formatted JSON? Or you want to display it without the tags?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

TitanAE
New Member

This is what I'm trying to output. Last post didn't reflect this. Also thank you for taking the time to assist with this 🙂

https://imgur.com/a/6825fI8

0 Karma

codebuilder
SplunkTrust
SplunkTrust

The pic of your output looks like the raw event from search bar results to me.

Unless I'm still missing something, the data you are seeing is stored in the field _raw.
If you want to add the timestamp as you're seeing in the pic just add _time as well.

index=your_index_name |table _time,_raw
----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

TitanAE
New Member

Correct. The results are from the search bar. When I search for a specific sourcetype I receive this:

https://imgur.com/a/JgGmLPV

What I want to default to in the search bar is this:

https://imgur.com/a/6825fI8

That way my users, that are familiar with raw data, can easily and quickly search through something they're familiar seeing.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...