- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is JSON from scripted input raw events in rand...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
have no idea what is going on here. I can make the same api call that the script is and receive the json back in the same order every time. Splunk for some reason has the response payload elements in random orders.
Anyone have any ideas?
Here are some examples of the first part of the raw payload as displayed in Splunk form the same input (running every 3 minutes)
{"more": true, "incidents": [{"last_status_change_by": {"summary":
{"total": null, "more": true, "limit": 2, "incidents": [{"incident_key":
{"offset": 0, "total": null, "incidents": [{"incident_number":
The preferred way I would like to see this is as below, which is also what is constantly output from running the script directly
{"incidents":[{"incident_number":164831,"title":"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
It was only an issue as I needed to break the json into individual elements, so setting a line_breaker or break before wouldn't work without knowing how the events are coming in, that said, the solution was easier than I though just pass a sort_keys argument
print(json.dumps(json_data, sort_keys=True))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
It was only an issue as I needed to break the json into individual elements, so setting a line_breaker or break before wouldn't work without knowing how the events are coming in, that said, the solution was easier than I though just pass a sort_keys argument
print(json.dumps(json_data, sort_keys=True))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I should add, that although json is a random order payload, the script itself somehow always returned the same order when run via pycharm, etc. The reason I care is I need to set line_breakers to extract each incident into its own event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Not something I've seen before. Theoretically JSON/py dict key order is irrelevant (although I think arrays are meant to be returned in element order) and there is nothing broken in returning the data out of order, but I agree it it nice when it comes back the same way every time.
That said other than the look of it, this shouldn't be causing an issue - is it breaking your search in some way?
Maximize the Value from Microsoft Defender with Splunk
This Week's Community Digest - Splunk Community Happenings [6.27.22]
Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...
