Why is the Splunk Python SDK not returning formatt...

lpolo · ‎04-21-2016

Splunk Python SDK does not return formatted numbers in the JSON response.

Example:

|eval var1=tonumber(var2)|
table var1

Results:

[{"var1": "321"}]

I was expecting

[{"var1": 321}]

Any idea why?

Thanks,
Lp

gwobben · ‎04-22-2016

I'm not working at Splunk so I can't really answer the why. However, it looks like Splunk is unaware of the data type (which makes sense given that the data type is figured out on search time). I'm guessing this is the reason everything is quoted in the JSON response, to prevent invalid JSON.

It's not very hard to work around this in Python (although there might be a minor performance hit). Try something like this:

def parseDictValues(d):
    for key, value in d.iteritems():

        # Test for a float
        try:
            d[key] = float(value)
        except ValueError:
            pass
    return d

Then loop through the results you've received and call this function to convert all numeric values.

lpolo · ‎04-22-2016

Splunk should honor that data type in the json response if I specify the data type in the search query.

Thanks,
Lp

Why is the Splunk Python SDK not returning formatted numbers in the JSON response?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation