Archive

How to preserve order of json array in search results?

Path Finder

We are on Splunk 6.2.1

We have logging raw json including 'stack_trace' as a json array like this:

{"exception_class":"Aws::Route53::Errors::PriorRequestNotComplete","exception_message":"The request was rejected because **edited**.","stack_trace":["/(**edited**):in `call'","/(**edited**):in `call'", ... 

Splunk Search shows a nice parsed json 'syntax highlighted' view with expand/collapse controls etc. However this view presents the 'stack_trace' json array elements sorted into alphabetical order. But of course we need to view the stack_trace in original json logged order (which appears correctly in 'Show as raw text' view).

How can we stop Splunk syntax view from sorting our json array? Any solution that presents the array in original order is acceptable, doesn't have to be in the Search syntax highlighted view.

Tags (1)

Communicator

To view unsorted JSON in syntax highlighted view, edit common.js and replace "_.keys(obj).sort()" with "_.keys(obj)". This is probably best done in the browser, not on the backend.

Other than that, using 'Show as raw text', which you already mentioned, will keep the original order.
You can also use rex/sed or eval/replace to split on every line, but simple solutions for that won't indent like the syntax highlighted view.

0 Karma

Communicator

I appears that the sorting occurs in common.js. I don't know if the sorting is called in a way that can be bypassed.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!