outputjson

Writes field values of input records in JSON text format to a specified file system path. Each record is written as a single-line JSON literal, separated by newlines.

Command properties

Property	Description
Command type	Transforming
Required permission	None
License usage	N/A
Parallel execution	Not supported
Distributed execution	Runs on Control Node (reducer)

Syntax

outputjson [overwrite=BOOL] [append=BOOL] [encoding=STR] [partition=BOOL] [tmp=STR] [flush=INT{s|m|h|d}] FILE_PATH [FIELD, ...]

Options

overwrite=BOOL: When set to t, overwrites the destination file even if it already exists. If not set, the query fails if the file exists. Cannot be used together with the append option. (Default: f)
append=BOOL: When set to t, appends to the end of the destination file if it already exists. Cannot be used together with the overwrite option. (Default: f)
encoding=STR: Character encoding of the output file. (Default: utf-8)
partition=BOOL: When set to t, uses time-based macros in the file path to write to separate files by partition. The logtime macro (based on log time) and the now macro (based on current time) are available. (Default: f)
tmp=STR: Temporary file path. When set, writes to this temporary path during execution, then moves to the final file path when the query completes.
flush=INT{s|m|h|d}: Interval at which the buffer is periodically flushed. For example, flush=10s flushes the buffer every 10 seconds.

Target

FILE_PATH: File system path where the JSON file is written. When used with partition=t, you can include time macros such as {logtime:yyyy}, {logtime:MM}, {logtime:dd}, {now:yyyy} in the path.
[FIELD, ...]: Names of fields to write to the JSON file. Separate multiple fields with commas (,). If no fields are specified, all fields of the record are written.

Error codes

Parse errors

Error code	Message	Description
30300	Invalid outputjson command query.	The command string ends with a comma.
30301	When the file path for the outputjson command contains macros, the partition option is required.	The file path contains time macros but `partition=t` is not set.
30302	missing-field	Output field names were not specified.
30304	The overwrite and append options cannot be used simultaneously in the outputjson command.	Both `overwrite=t` and `append=t` were specified.
30305	Access denied to the temporary file path [tmp_path] for the outputjson command.	No access permission to the temporary file path.
30306	Access denied to the file path [file_path] for the outputjson command.	No access permission to the JSON file path.

Runtime errors

Error code	Message	Description	Post-processing behavior
30303	An IO error occurred while running the outputjson command: [msg].	An I/O error occurred while writing to the file.	Closes the file handle and cancels the query.
30306	Access denied to the file path [file_path] for the outputjson command.	Cannot access the resolved file path in partition mode.	Cancels the query.

Description

The outputjson command writes input records to a file in JSON format. Each record is written as a single-line JSON object, separated by newline characters. When fields are specified, only those fields are written. When fields are omitted, all fields of the record are written. After writing, records are passed to the next command unchanged.

When partition=t is used, the time macro in the file path is resolved based on the _time field value (log time) of each record, and records are written to separate files by partition.

When the tmp option is used, records are written to the temporary file path during query execution, and the file is moved to the final path when the query completes normally. If the query is cancelled and the mode is not append, the temporary file or output file is deleted.

In a distributed environment, file writing is performed on the Control Node.

Examples

Write to a JSON file

json "[{'src_ip': '192.0.2.1', 'dst_ip': '198.51.100.1', 'bytes': 1024}, {'src_ip': '192.0.2.2', 'dst_ip': '203.0.113.5', 'bytes': 2048}]"
| outputjson /opt/logpresso/output/result.json src_ip, dst_ip, bytes

Writes the src_ip, dst_ip, and bytes fields to /opt/logpresso/output/result.json in JSON format.

Write all fields to a JSON file

json "[{'src_ip': '192.0.2.1', 'method': 'GET', 'status': 200}]"
| outputjson /opt/logpresso/output/all_fields.json

When no fields are specified, all fields of the record are written.

Overwrite an existing file

json "[{'name': 'Alice', 'score': 85}, {'name': 'Bob', 'score': 92}]"
| outputjson overwrite=t /opt/logpresso/output/scores.json name, score

Overwrites the destination file even if it already exists.

Write to separate files by partition

table duration=1d web_logs
| outputjson partition=t /opt/logpresso/output/{logtime:yyyy}/{logtime:MM}/{logtime:dd}/access.json src_ip, method, status

Creates year/month/day directories based on log time and writes to separate JSON files by partition.

Append to an existing file

json "[{'host': 'web-01', 'cpu': 75.2}]"
| outputjson append=t /opt/logpresso/output/metrics.json host, cpu

Appends records to the end of an existing file.

Write using a temporary file
```
table duration=1h web_logs
| outputjson tmp=/opt/logpresso/output/result.tmp /opt/logpresso/output/result.json src_ip, dst_ip, bytes
```
Writes to a temporary file during query execution, then moves it to the final path when the query completes normally.