-
Notifications
You must be signed in to change notification settings - Fork 1
Command Reference jsonformat
Reformat, validate, and/or reorder a json event or field(s)
jsonformat (indent=<int>)? (order=(undefined|preserve|sort))? (errors=<field>)? (input_mode=(json|python))? (<field> (as <field>)?)*
Format the body of a JSON event or named JSON field(s). Any validation errors are reported to the field specified to the 'errors' field.
Splunk shows JSON events with color coding and nested sections can be expanded as needed. However, in deeply nested or highly repetitive structures opening these manually can slow you down. Another use case is normalizing JSON representations for comparison purposes.
-
undefined- no sorting or preservation of hash order will be kept. Default because JSON says hash key order is irrelevant -
preserve- representation order is preserved in the formatted output. Helpful for log messages crafted in a specific order. (This is not the default because it's slightly slower, and consumes a bit more memory.) -
sort- all hash keys are sorted lexicographically. This gives a more consistent result.
Note: This is an unsupported feature.
By default, input is expected to be json. However, this command can be used to parse python representation strings (literals only) which is sometimes provided by the internal logs of TAs for example. Once the output is converted to json, other JSON specific commands can be used to manipulate the data.
Additional content and run-anywhere examples are available on Search Examples: jsonformat.
- Introduction
- So what is JMESPath?
- What's wrong with spath?
- Command Reference
- Tutorial (Search examples)
- Change Log