Reputation: 1934
Splunk python SDK exporting json string
I'm trying to export query results from Splunk into a Python application. I've got Key-Value fields, and one of those has a json string (that is a json structure wrapped in quotes).
First I had encountered an issue where using the table command would only return the opening bracket (e.g. "{") - which I then resolved by extracting the text via rex.
However, despite the query working well in Splunk UI, including the download option, whenever I query via the SDK I keep getting "{" as a value. I've tried CSV/JSON/XML exports, and all experience the same issue.
Any suggestions?
Upvotes: 0
Views: 536
Answers (1)
Reputation: 1934
Looks like the issue was an escaping one - I originally had:
| rex field=_raw ".*filter=(?<filter>\".*\}\"),"
Which when replaced with the following, worked:
| rex field=_raw ".*filter=(?<filter>\\".*\}\\"),"
Escaping had to be double in order to work properly.
Upvotes: 1
Related Questions
- Search Splunk API using python
- Search on Splunk via Python SDK
- Pushing logs from python to Splunk
- Splunk data export using API
- How to connect to Splunk API via Python, receiving javascript error
- how do I parse a JSON file to SPLUNK?
- Python: .json data from splunk
- How to remove '|' from json export in splunk?
- write log entry to splunk via HTTP in python
- How do I get the full content of a Splunk search result when using the Python SDK?