Starting with SPE 9.3.1 there are two options to control the JSON format when logs are uploaded to CloudWatch when using the SPE AMI.

• SPE 9.3.1 Amazon Machine Image (AMI)

As of SPE 9.3.1 there is a "prettyprint" setting which can be modified in configuration.xml. 

/opt/SYMCscan/bin/configuration.xml

xml path below

/configuration/Logging/LogCloud/@prettyprint

Allowed values

• true
• false

Default value: true.

This setting can be changed using xmlmodifier or xpathlist.

The true setting leaves the default behavior where "prettyprint" is used.  Changing the setting to false will output the entire json log in a single line.

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/9-1-0/Core-server-only-mode/about-xmlmodifier-tool-v128491297-d4995e18749.html