- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exporting in JSON
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just wrote an app that can create JSON in-line: https://splunkbase.splunk.com/app/3540/
With this you could convert _raw (and any other fields not from _raw) to JSON, then export a "csv" with one field containing the JSON.
... | mkjson outputfield=json | table json | outputcsv mycsv
Be sure to read the Usage guide (https://github.com/doksu/TA-jsontools/wiki#usage-1) which has a range of examples.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@doksu
I have a query where we are trying to output the results into csv but now we would like to have that in json format.
Can we do that through this app?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure I understand the question. Splunk cannot write to a json file, however you can produce JSON using the mkjson command as seen above then pipe that to another command like outputcsv to dump that to disk (JSON inside a CSV).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no analogous search command to write a JSON formatted file from within a search itself. You can run a search using the REST API (http://www.splunk.com/base/Documentation/latest/Developer/RESTIntro) and fetch the results in JSON format using the argument output_mode=json from the events, results or results_preview resources.
