Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is JSON from scripted input raw events in random orders?

Cuyose
Builder
‎07-25-2018 10:06 AM

have no idea what is going on here. I can make the same api call that the script is and receive the json back in the same order every time. Splunk for some reason has the response payload elements in random orders.

Anyone have any ideas?

Here are some examples of the first part of the raw payload as displayed in Splunk form the same input (running every 3 minutes)

{"more": true, "incidents": [{"last_status_change_by": {"summary":

{"total": null, "more": true, "limit": 2, "incidents": [{"incident_key":

{"offset": 0, "total": null, "incidents": [{"incident_number":

The preferred way I would like to see this is as below, which is also what is constantly output from running the script directly

{"incidents":[{"incident_number":164831,"title":"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Cuyose
Builder
‎07-26-2018 07:32 AM

It was only an issue as I needed to break the json into individual elements, so setting a line_breaker or break before wouldn't work without knowing how the events are coming in, that said, the solution was easier than I though just pass a sort_keys argument

print(json.dumps(json_data, sort_keys=True))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Cuyose
Builder
‎07-26-2018 07:32 AM

It was only an issue as I needed to break the json into individual elements, so setting a line_breaker or break before wouldn't work without knowing how the events are coming in, that said, the solution was easier than I though just pass a sort_keys argument

print(json.dumps(json_data, sort_keys=True))

0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎07-25-2018 10:12 AM

I should add, that although json is a random order payload, the script itself somehow always returned the same order when run via pycharm, etc. The reason I care is I need to set line_breakers to extract each incident into its own event.

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎07-26-2018 05:42 AM

Not something I've seen before. Theoretically JSON/py dict key order is irrelevant (although I think arrays are meant to be returned in element order) and there is nothing broken in returning the data out of order, but I agree it it nice when it comes back the same way every time.

That said other than the look of it, this shouldn't be causing an issue - is it breaking your search in some way?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...