Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is JSON from scripted input raw events in random orders?

Cuyose
Builder
‎07-25-2018 10:06 AM

have no idea what is going on here. I can make the same api call that the script is and receive the json back in the same order every time. Splunk for some reason has the response payload elements in random orders.

Anyone have any ideas?

Here are some examples of the first part of the raw payload as displayed in Splunk form the same input (running every 3 minutes)

{"more": true, "incidents": [{"last_status_change_by": {"summary":

{"total": null, "more": true, "limit": 2, "incidents": [{"incident_key":

{"offset": 0, "total": null, "incidents": [{"incident_number":

The preferred way I would like to see this is as below, which is also what is constantly output from running the script directly

{"incidents":[{"incident_number":164831,"title":"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Cuyose
Builder
‎07-26-2018 07:32 AM

It was only an issue as I needed to break the json into individual elements, so setting a line_breaker or break before wouldn't work without knowing how the events are coming in, that said, the solution was easier than I though just pass a sort_keys argument

print(json.dumps(json_data, sort_keys=True))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Cuyose
Builder
‎07-26-2018 07:32 AM

It was only an issue as I needed to break the json into individual elements, so setting a line_breaker or break before wouldn't work without knowing how the events are coming in, that said, the solution was easier than I though just pass a sort_keys argument

print(json.dumps(json_data, sort_keys=True))

0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎07-25-2018 10:12 AM

I should add, that although json is a random order payload, the script itself somehow always returned the same order when run via pycharm, etc. The reason I care is I need to set line_breakers to extract each incident into its own event.

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎07-26-2018 05:42 AM

Not something I've seen before. Theoretically JSON/py dict key order is irrelevant (although I think arrays are meant to be returned in element order) and there is nothing broken in returning the data out of order, but I agree it it nice when it comes back the same way every time.

That said other than the look of it, this shouldn't be causing an issue - is it breaking your search in some way?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...