Hey Everyone,
Bit of a weird question. I'm ingesting a large amount of JSON data into Splunk. However in the Search App I want to default display the data as 'show raw text'. It's a business requirement. How can I achieve this with Splunk.
I don't think you have define the display as 'Raw' in the search and reporting app. However, user can choose between Raw, List and Table when they search. The other option would be to create a new 'datasets' definition with something like index=yourindex | table _time, _raw and save it with a meaningful report. The users will see the data appearing as '_raw' when they view this.
Correct. The results are from the search bar. When I search for a specific sourcetype I receive this:
What I want to default to in the search bar is this:
That way my users, that are familiar with raw data, can easily and quickly search through something they're familiar seeing.
If I read your question correctly, you want to display the raw data.
It's a bit odd, but easily accomplished:
index=your_index_name | table _raw
Sadly this isn't what I want. What I have is formatted . What I want to do is default the Search and Reporting app's JSON data to just . That way all of my users, who are using to seeing raw text, can search through it like normal.
Not a simple thing to accomplish, surprisingly.
Still a bit confused then. You're ingesting formatted JSON, and want to display it as formatted JSON? Or you want to display it without the tags?
This is what I'm trying to output. Last post didn't reflect this. Also thank you for taking the time to assist with this 🙂
The pic of your output looks like the raw event from search bar results to me.
Unless I'm still missing something, the data you are seeing is stored in the field _raw.
If you want to add the timestamp as you're seeing in the pic just add _time as well.
index=your_index_name |table _time,_raw
Correct. The results are from the search bar. When I search for a specific sourcetype I receive this:
What I want to default to in the search bar is this:
That way my users, that are familiar with raw data, can easily and quickly search through something they're familiar seeing.