Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to return search manager result as JSON

josefa123
Explorer
‎08-04-2015 10:30 PM

I have this code to display values of the search manager in the console but in array format,

var mySearch = splunkjs.mvc.Components.getInstance("search1");
        mySearch.on("search:done", function() {
            var results = mySearch.data("results")
            results.on("data", function(){
                console.log("Data (rows): ", results.data().rows);
            });
        });

Can the result be converted to JSON format? Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎08-05-2015 12:33 AM

Have a look at this page from the tutorial, especially the block of code in point 6. You'll see the following lines:

var manager = splunkjs.mvc.Components.getInstance('sankey-search');
var data = manager.data('results', {
    output_mode: 'json_rows',
    count: 0 // get all results
});

There you'll also see how to use them.

As a side remark, what you're doing in your code above is adding a function to your event listener every time the search returns results. Every time mySearch fires the event search:done, you're adding a new listener to the data event of mySearch.data("results"). Your code should instead look like this:

var search = splunkjs.mvc.Components.getInstance("search1"); // get the search manager
var myResults = search.data("results"); // get the data from that search
// When data arrives:
myResults.on("data", function() {
    ...
});

You use the search:done event for actions such as changing the display of a custom visualization from a notice such as "Waiting for search to complete..." to displaying actual data.

View solution in original post

Reply
Solved! Jump to solution

sfatnass
Contributor
‎11-28-2017 01:19 AM

hi
i triyed this solution but splunk return error
mySearch.data is not a function

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎12-04-2017 01:21 AM

You probably didn't use the right id. You should set an id in Simple XML like this:

<search id="search_id">

and get it in js with

var mySearch = splunkjs.mvc.Components.getInstance("search_id");
0 Karma
Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎08-05-2015 12:33 AM

Have a look at this page from the tutorial, especially the block of code in point 6. You'll see the following lines:

var manager = splunkjs.mvc.Components.getInstance('sankey-search');
var data = manager.data('results', {
    output_mode: 'json_rows',
    count: 0 // get all results
});

There you'll also see how to use them.

As a side remark, what you're doing in your code above is adding a function to your event listener every time the search returns results. Every time mySearch fires the event search:done, you're adding a new listener to the data event of mySearch.data("results"). Your code should instead look like this:

var search = splunkjs.mvc.Components.getInstance("search1"); // get the search manager
var myResults = search.data("results"); // get the data from that search
// When data arrives:
myResults.on("data", function() {
    ...
});

You use the search:done event for actions such as changing the display of a custom visualization from a notice such as "Waiting for search to complete..." to displaying actual data.

Reply
Solved! Jump to solution

josefa123
Explorer
‎08-05-2015 02:44 AM 
var mySearch = splunkjs.mvc.Components.getInstance("cacheSearch"); // get the search manager
        var myResults = mySearch.data('results', { // get the data from that search
            output_mode: 'json_rows',
            count: 0 // get all results
        });
        // When data arrives:
        myResults.on("data", function() {
            console.log(myResults.data().rows);
        });

I used this to display the result on console but it is not on JSON format. The other thing is, it displays "Cannot read property 'rows' of undefined"

I have real time search manager.

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎08-05-2015 02:52 AM

As a rule of thumb, don't use real time searches to test stuff - they sometimes behave differently.
Also, as the error message implied, if you use the JSON output format, you no longer have the rows you used to get with the old method. Instead, you now use the toJSON() method of the underlying collection(). It should be something like this:

var mySearch = splunkjs.mvc.Components.getInstance("cacheSearch"); // get the search manager
var myResults = mySearch.data('results', { // get the data from that search
    output_mode: 'json_rows',
    count: 0 // get all results
});
// When data arrives:
myResults.on("data", function() {
    console.log(myResults.collection().toJSON());
});
0 Karma
Reply
Solved! Jump to solution

josefa123
Explorer
‎08-06-2015 10:11 PM

Im not testing stuff. I actually getting them and put inside a conditional statement.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...