This is the key point. The "by design" answer is centered on the behavior of the REST API's streaming nature. But that's entirely separate from the behavior one would expect when exporting a completed query from the Splunk UI for further analysis.
The cited reason for this behavior actually contradicts the behavior in the Splunk UI:
"the response as a whole is not a valid JSON document is correct. However, this is by design,
and equivalent to what we do with XML output"
-- from https://answers.splunk.com/answers/65932/rest-api-json-invalid-format.html.
In fact, if i download query results from the UI as XML, it returns a fully-formed XML document, not a list of individual lines of XML. The UI is not treating this as a streaming response in the case of XML, but it is for JSON, which is inconsistent.
This is where the behavior of the REST API should be separated from the behavior of the UI: they have different intended purposes. If user is downloading from UI they want a valid document of either XML or JSON. If they are using the API, they should get the raw form of line-oriented records. Anyone using the API has tools to rewrite it however they want, but a user downloading from web does not.
If the Splunk team is set on delivering query results as if they are incomplete streams, could they at least bend a little and offer an option? Offer "Streaming JSON" and "JSON" both so users don't have to cobble together code snippets to get a valid file at the end.
... View more