Hi everyone,

We're using the Splunk Python SDK to run queries in Splunk.

However, we seem to be getting the results in a strange format, that isn't a valid JSON. For example:

"_raw":"1618242600, search_name=\"Access - Geographically Improbable Access Detected - Rule\", orig_raw=\"01/12/2020 09:09:09 -0600, search_name=\\\"Access - Geographically Improbable Access - Summary Gen\\\", search_now=1618242600.000, info_min_time=1618177200.000, info_max_time=1618242600.000, info_search_time=1618242614.320, src=\\\"3.121.59.84\\\", dest=\\\"54.212.209.210\\\", user=DUMMY, speed=\\\"555.000\\\", src_app=splunk, src_lat=\\\"44.444\\\", dest_app=splunk, dest_lat=\\\"44.444\\\", distance=\\\"222.222\\\", src_city=Test, src_long=\\\"--88.888\\\", src_time=161800000, dest_city=TEST, dest_long=\\\"-120.000\\\", dest_time=161820000, src_country=\\\"United States\\\", dest_country=\\\"United States\\\", forceCsvResults=\\\"auto\\\"\", orig_time=\"161820000\", dest=\"1.1.1.1\", dest_app=\"splunk\", dest_city=\"TTTest\", dest_country=\"United States\", dest_lat=\"44.44444\", dest_long=\"-120.000\", dest_time=\"161820000\", distance=\"2400.00\", info_max_time=\"1618200000.000000000\", info_min_time=\"1618200000.000000000\", info_search_time=\"1618200000.000000000\", speed=\"555.444\", src=\"1.1.1.1\", src_app=\"splunk\", src_city=\"TeSt\", src_country=\"United States\", src_lat=\"44.4444\", src_long=\"-77.7777\", src_time=\"161820000\", user=\"DUMMY\""

I have some questions, and I will appreciate your help with them:

1. What is the reason for this situation? I would expect the "_raw" field to be in JSON format. I tried specifying output_mode as "json", but no luck.

2. Is there a common practice way for getting the raw data in a JSON format? 

Thanks so much for the help!