- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to preserve order of json array in search results?
We are on Splunk 6.2.1
We have logging raw json including 'stack_trace' as a json array like this:
{"exception_class":"Aws::Route53::Errors::PriorRequestNotComplete","exception_message":"The request was rejected because **edited**.","stack_trace":["/(**edited**):in `call'","/(**edited**):in `call'", ...
Splunk Search shows a nice parsed json 'syntax highlighted' view with expand/collapse controls etc. However this view presents the 'stack_trace' json array elements sorted into alphabetical order. But of course we need to view the stack_trace in original json logged order (which appears correctly in 'Show as raw text' view).
How can we stop Splunk syntax view from sorting our json array? Any solution that presents the array in original order is acceptable, doesn't have to be in the Search syntax highlighted view.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To view unsorted JSON in syntax highlighted view, edit common.js and replace "_.keys(obj).sort()" with "_.keys(obj)". This is probably best done in the browser, not on the backend.
Other than that, using 'Show as raw text', which you already mentioned, will keep the original order.
You can also use rex/sed or eval/replace to split on every line, but simple solutions for that won't indent like the syntax highlighted view.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I appears that the sorting occurs in common.js. I don't know if the sorting is called in a way that can be bypassed.
