Getting Data In

How to show raw data instead of formatted data?

New Member

Hey Everyone,

Bit of a weird question. I'm ingesting a large amount of JSON data into Splunk. However in the Search App I want to default display the data as 'show raw text'. It's a business requirement. How can I achieve this with Splunk.

Tags (2)
0 Karma


the easiest way to achieve this without any major changes is to click on the "list" dropdown and change it to "raw"alt text.

JSON data
Changed to Raw event data
alt text

0 Karma


I don't think you have define the display as 'Raw' in the search and reporting app. However, user can choose between Raw, List and Table when they search. The other option would be to create a new 'datasets' definition with something like index=yourindex | table _time, _raw and save it with a meaningful report. The users will see the data appearing as '_raw' when they view this.

0 Karma

New Member

Correct. The results are from the search bar. When I search for a specific sourcetype I receive this:

What I want to default to in the search bar is this:

That way my users, that are familiar with raw data, can easily and quickly search through something they're familiar seeing.

0 Karma


If I read your question correctly, you want to display the raw data.
It's a bit odd, but easily accomplished:

index=your_index_name | table _raw
An upvote would be appreciated and Accept Solution if it helps!

New Member

Sadly this isn't what I want. What I have is formatted Json Data. What I want to do is default the Search and Reporting app's JSON data to just Raw Text. That way all of my users, who are using to seeing raw text, can search through it like normal.

Not a simple thing to accomplish, surprisingly.

0 Karma


Still a bit confused then. You're ingesting formatted JSON, and want to display it as formatted JSON? Or you want to display it without the tags?

An upvote would be appreciated and Accept Solution if it helps!
0 Karma

New Member

This is what I'm trying to output. Last post didn't reflect this. Also thank you for taking the time to assist with this 🙂

0 Karma


The pic of your output looks like the raw event from search bar results to me.

Unless I'm still missing something, the data you are seeing is stored in the field _raw.
If you want to add the timestamp as you're seeing in the pic just add _time as well.

index=your_index_name |table _time,_raw
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

New Member

Correct. The results are from the search bar. When I search for a specific sourcetype I receive this:

What I want to default to in the search bar is this:

That way my users, that are familiar with raw data, can easily and quickly search through something they're familiar seeing.

0 Karma
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...