Skip to content

Search Examples: jsonformat

Jump to bottom
Lowell Alleman edited this page Nov 17, 2018 · 2 revisions

jsonformat

The jsonformat command is pretty straightforward to use, but also has a few tricks. Here are some examples worth exploring.

Classic use case

In raw mode, many JSON events are optimized to save space and therefore are very difficult to read. If you've ever clicked "Show as raw text", you've probably noticed this. Sometimes events like this require many clicks to fully expand in the UI and that can suck up valuable time over the course of day.

Convert this:

{"glossary":{"title":"example glossary","GlossDiv":{"title":"S","GlossList":{"GlossEntry":{"ID":"SGML","SortAs":"SGML","GlossTerm":"Standard Generalized Markup Language","Acronym":"SGML","Abbrev":"ISO 8879:1986","GlossDef":{"para":"A meta-markup language, used to create markup languages such as DocBook.","GlossSeeAlso":["GML","XML"]},"GlossSee":"markup"}}}}}

Into this:

{
    "glossary": {
        "title": "example glossary",
        "GlossDiv": {
            "title": "S",
            "GlossList": {
                "GlossEntry": {
                    "ID": "SGML",
                    "SortAs": "SGML",
                    "GlossTerm": "Standard Generalized Markup Language",
                    "Acronym": "SGML",
                    "Abbrev": "ISO 8879:1986",
                    "GlossDef": {
                        "para": "A meta-markup language, used to create markup languages such as DocBook.",
                        "GlossSeeAlso": [
                            "GML",
                            "XML"
                        ]
                    },
                    "GlossSee": "markup"
                }
            }
        }
    }
}

So the most obvious use case of this command it make JSON events more pleasing to the eye:

Check it out for yourself.

| eval _raw="{\"glossary\":{\"title\":\"example glossary\",\"GlossDiv\":{\"title\":\"S\",\"GlossList\":{\"GlossEntry\":{\"ID\":\"SGML\",\"SortAs\":\"SGML\",\"GlossTerm\":\"Standard Generalized Markup Language\",\"Acronym\":\"SGML\",\"Abbrev\":\"ISO 8879:1986\",\"GlossDef\":{\"para\":\"A meta-markup language, used to create markup languages such as DocBook.\",\"GlossSeeAlso\":[\"GML\",\"XML\"]},\"GlossSee\":\"markup\"}}}}}" 
| jsonformat

Note that in Splunk versions prior to 7.2, Splunk doesn't support displaying newlines fields in table mode. So if the above example doesn't work for you, that may be why. Simply search for any JSON events on hand, add | jsonformat to your search flip over to the "Events" tab and click "Show as raw text".

Comparing JSON objects

If you suspect that 2 objects are the same, but may differ in whitespace or key sort order, then use jsonformat to facilitate the comparison.

... | jsonformat order=sort a as a_sorted, b as b_sorted | where a_sorted!=b_sorted | table a_sorted b_sorted

TODO: Add run-anywhere example

Convert a Python repr format to JSON (unofficial)

The jsonformat command can convert a Python literal (repr format) to json, thus allows for further processing via 'spath' or 'jmespath'. Note that this feature may go away. If you rely on it please ping us and expand on your use case.

... | jsonformat input_mode=python pydict as json | spath input=json ...

TODO: Add run-anywhere example

Clone this wiki locally