I just wrote an app that can create JSON in-line: https://splunkbase.splunk.com/app/3540/
With this you could convert _raw (and any other fields not from _raw) to JSON, then export a "csv" with one field containing the JSON.
... | mkjson outputfield=json | table json | outputcsv mycsv
Be sure to read the Usage guide (https://github.com/doksu/TA-jsontools/wiki#usage-1) which has a range of examples.
@doksu
I have a query where we are trying to output the results into csv but now we would like to have that in json format.
Can we do that through this app?
I'm not sure I understand the question. Splunk cannot write to a json file, however you can produce JSON using the mkjson
command as seen above then pipe that to another command like outputcsv
to dump that to disk (JSON inside a CSV).
There is no analogous search command to write a JSON formatted file from within a search itself. You can run a search using the REST API (http://www.splunk.com/base/Documentation/latest/Developer/RESTIntro) and fetch the results in JSON format using the argument output_mode=json
from the events, results or results_preview resources.