Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to export events as JSON format?

sutom
Path Finder
‎12-15-2022 05:37 AM

Hi All,

I am trying to export events in JSON format, and I am able to do it, and getting events like the one below.

 

{"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}}
{"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}}
{"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}}

 

But the My expectation of having these events in an array with commas separated like the below format.

 

[
{"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}},
{"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}},
{"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}}
]

 

Please provide some references that can help to export events in the expected format.

Labels (2)
Labels
Tags (2)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎12-16-2022 08:14 AM

@sutom - I would say the export is correct, add the [ (square brackets) and , (commas) in the exported file manually by regex replace in any advance text/code editor.

This would be the simplest option to what you want to achive. You can also write a small python script to do that we well.

 

I hope this helps!!!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-15-2022 10:37 PM

The question is really "how to export events as JSON array."  Is this correct?  The result you got are a sequence of perfectly correct JSON events.

If you want all those events exported to one big array, why not put all events in one big array?  Like

| stats values(_raw) as jumbo_raw

The export will then look like

{"preview":false,"result":{"_raw":[
{"tomLogs":[{"component":"tom"}]},
{"tomLogs":[{"component":"tom"}]},
{"tomLogs":[{"component":"tom"}]}
]}
}

 Will this array do? Otherwise you can write a simple script to convert a series of JSON objects into a JSON array.

0 Karma
Reply

FelixLeh
Contributor
‎12-15-2022 07:45 AM

Have you tried using "KV_MODE = json" in props.conf where the corresponding Sourcetype is defined?

 

[your_sourcetype]
KV_MODE = json
#your other settings for the sourcetype:
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...