Command Reference jsonformat
Reformat, validate, and/or reorder a json event or field(s)
jsonformat (indent=<int>)? (order=(undefined|preserve|sort))? (errors=<field>)?
(input_mode=(json|python))? (output_mode=(json|makeresults))?
(<field> (as <field>)?)*
Format the body of a JSON event or named JSON field(s). Any validation errors are reported to the field specified to the 'errors' field.
Splunk shows JSON events with color coding and nested sections can be expanded as needed. However, in deeply nested or highly repetitive structures opening these manually can slow you down. Another use case is normalizing JSON representations for comparison purposes.
-
undefined
- no sorting or preservation of hash order will be kept. This mode is slightly faster. According to the JSON spec, key order is irrelevant. -
preserve
- representation order is preserved in the formatted output. Helpful for log messages crafted in a specific order. This is the default mode because it's often what users want. -
sort
- all hash keys are sorted lexicographically. This gives a more consistent result.
Note: In 1.9.5 the default switched from undefined
to preserve
, as this is more user friendly and the slight resource usage increase shouldn't matter because this command wouldn't typically be used in a performance-critical searches.
Note: This is an unsupported feature.
By default, input is expected to be json
. However, this command can be used to parse python
representation strings (literals only) which is sometimes provided by the internal logs of TAs for example. Once the output is converted to json, other JSON specific commands can be used to manipulate the data.
Note: This is an unsupported feature.
Normally the output mode is json
, make sense, doesn't it? However for special uses (like for me, when I'm writing these docs) it's helpful to generate a run-anywhere example that can be easily shared. This can often come in handy if you have some complex JSON manipulation that you need help with and want to post it on a forum, like on Splunk Answers.
Format a JSON string and store redirect the formatted output in a new field
... | jsonformat json as json_formatted
Validate a JSON field and show all invalid values
... | jsonformat myfield errors=myfield_errors
| where myfield_errors!="none"
Format the body of a JSON event and sort hashes by key. This produces a consistent or "canonical" type output.
... | jsonformat order=sort
If you suspect that 2 objects are the same, but may differ in whitespace or key sort order, then use jsonformat
to facilitate the comparison.
... | jsonformat order=sort a as a_sorted, b as b_sorted
| where a_sorted!=b_sorted
| table a_sorted b_sorted
If you have a JSON object you'd like to export as a stable (run-anywhere) example, use the following search command.
... | jsonformat output_mode=makeresults
Will take the JSON object (stored in _raw
) and format it in a condensed SPL command that can be easily copy-n-pasted. The output will use the makeresults
command to create a single dummy result, and use the eval
command to hold the literal value of the JSON object. For space saving reasons, the JSON object condensed and all unnecessary whitespace is removed. Note that special characters are handled as well, such as double-quotes, backslashes, newlines, and so on. (We use this technique throughout these docs, and encourage bug reporters to use this to provide runnable samples.)
The output will look something like:
| makeresults | eval _raw="{\"key\":\"value\"}"
Additional content and run-anywhere examples are available on Search Examples: jsonformat.
- Introduction
- So what is JMESPath?
- What's wrong with spath?
- Command Reference
- Tutorial (Search examples)
- Change Log