Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is JSON from scripted input raw events in random orders?

Cuyose
Builder
‎07-25-2018 10:06 AM

have no idea what is going on here. I can make the same api call that the script is and receive the json back in the same order every time. Splunk for some reason has the response payload elements in random orders.

Anyone have any ideas?

Here are some examples of the first part of the raw payload as displayed in Splunk form the same input (running every 3 minutes)

{"more": true, "incidents": [{"last_status_change_by": {"summary":

{"total": null, "more": true, "limit": 2, "incidents": [{"incident_key":

{"offset": 0, "total": null, "incidents": [{"incident_number":

The preferred way I would like to see this is as below, which is also what is constantly output from running the script directly

{"incidents":[{"incident_number":164831,"title":"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Cuyose
Builder
‎07-26-2018 07:32 AM

It was only an issue as I needed to break the json into individual elements, so setting a line_breaker or break before wouldn't work without knowing how the events are coming in, that said, the solution was easier than I though just pass a sort_keys argument

print(json.dumps(json_data, sort_keys=True))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Cuyose
Builder
‎07-26-2018 07:32 AM

It was only an issue as I needed to break the json into individual elements, so setting a line_breaker or break before wouldn't work without knowing how the events are coming in, that said, the solution was easier than I though just pass a sort_keys argument

print(json.dumps(json_data, sort_keys=True))

0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎07-25-2018 10:12 AM

I should add, that although json is a random order payload, the script itself somehow always returned the same order when run via pycharm, etc. The reason I care is I need to set line_breakers to extract each incident into its own event.

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎07-26-2018 05:42 AM

Not something I've seen before. Theoretically JSON/py dict key order is irrelevant (although I think arrays are meant to be returned in element order) and there is nothing broken in returning the data out of order, but I agree it it nice when it comes back the same way every time.

That said other than the look of it, this shouldn't be causing an issue - is it breaking your search in some way?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...