How to preserve order of json array in search resu...

rgsage · ‎01-31-2017

We are on Splunk 6.2.1

We have logging raw json including 'stack_trace' as a json array like this:

{"exception_class":"Aws::Route53::Errors::PriorRequestNotComplete","exception_message":"The request was rejected because **edited**.","stack_trace":["/(**edited**):in `call'","/(**edited**):in `call'", ...

Splunk Search shows a nice parsed json 'syntax highlighted' view with expand/collapse controls etc. However this view presents the 'stack_trace' json array elements sorted into alphabetical order. But of course we need to view the stack_trace in original json logged order (which appears correctly in 'Show as raw text' view).

How can we stop Splunk syntax view from sorting our json array? Any solution that presents the array in original order is acceptable, doesn't have to be in the Search syntax highlighted view.

malvidin · ‎09-13-2017

To view unsorted JSON in syntax highlighted view, edit common.js and replace "_.keys(obj).sort()" with "_.keys(obj)". This is probably best done in the browser, not on the backend.

Other than that, using 'Show as raw text', which you already mentioned, will keep the original order.
You can also use rex/sed or eval/replace to split on every line, but simple solutions for that won't indent like the syntax highlighted view.

malvidin · ‎09-07-2017

I appears that the sorting occurs in common.js. I don't know if the sorting is called in a way that can be bypassed.

How to preserve order of json array in search results?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms