Splunk Search Results: JSON to HTML Table Conversion in PowerShell

Splunk search results can be exported from the UI as CSV, JSON, and XML, but not as HTML. This article presents a PowerShell script that converts exported search results from JSON into an HTML table for use with documentation, blogs, etc.

Format of Splunk Search Results Exported to JSON

JSON files with exported Splunk search results have the following structure:

{"preview":false,"result":{"field1":"value1-1","field2":"value2-1"}}
{"preview":false,"lastrow":true,"result":{"field1":"value1-2","field2":["value2-2a","value2-2b"]}}

As you can see, each line is an independent JSON object. Most likely you’re not interested in metadata, only in the fields returned from your search. The fields and their values are encapsulated in the result object.

Splunk searches may return multiple values per field. Such multivalue fields are represented as JSON arrays in the export, as shown in the value for field2 in the second row of the example above. The conversion script deals with multivalue fields correctly, separating individual values by line breaks.

Conversion Script

Without further ado, this is the PowerShell script to convert Splunk’s JSON export into a nicely formatted HTML table:

param ([Parameter(Mandatory)] $inputFile, [Parameter(Mandatory)] $outputFile)

$newline          = [Environment]::NewLine
[bool] $firstLine = $true

# Loop over all search results (each line in the export is one result)
Get-Content $inputFile | ForEach-Object {
   $json = $_ | ConvertFrom-Json

   if ($firstLine)
   {
      $output  = "<table>$newline"
      $output += "   <thead>$newline"
      $output += "      <tr>$newline"

      # Iterate over all fields in this search result
      ForEach ($field in $json.result.PsObject.Properties) {
         $output += "         <th>$($field.Name)</th>$newline"
      }

      $output += "      </tr>$newline"
      $output += "   </thead>$newline"
      $output += "   <tbody>$newline"
   }

   $output += "      <tr>$newline"

   # Iterate over all fields in this search result
   ForEach ($field in $json.result.PsObject.Properties) {
      # Each field could be multivalue -> join
      $value = $field.Value -join "<br>"

      $output += "         <td>$value</td>$newline"
   }

   $output += "      </tr>$newline"

   $firstLine = $false
}

$output += "   </tbody>$newline"
$output += "</table>$newline"

Set-Content -Path $outputFile -value $output
HTMLJSONPowerShellScriptSplunk

Comments

Related Posts

Why Sizing for Averages is a Bad Idea

Why Sizing for Averages is a Bad Idea
When sizing a new environment it is tempting to use averages. It seems the logical thing to do. But it also guarantees a bad user experience. Example: Sizing an RDS or XenApp Farm Let’s say you’re tasked with building a new Citrix XenApp farm. Being a diligent IT person you set up a pilot: one or two machines with all the right software and settings. Then you carefully select a group of pilot users in such a way that they represent the organization’s employee types statistically correctly. Then you let them work on the new platform, ironing out bugs and such. At the end of that period, you have a great new platform. But there is one big question left: how many servers to buy?!
Logs & Metrics

Latest Posts