Is there a way to order/sort the JSON keys prior to hitting the destination?

you can probably do it with regex or other hacks but note that JSON, unlike CSV or some others, is not positional.

Python has sort_keys param. So nothing like this in JS/cribl?https://www.w3schools.com/python/gloss_python_json_sort.asp

We have a regex on the destination side to parse the source identifier and that coming towards the end makes our regex expensive.

if you're using regex, do you need JSON? Maybe switch you K=V or CSV, where you can specify order.

Yes we need JSON. Our SIEM parser is only compatible with JSON for this specific source (Azure).

but requires regex?

correct

SIEM does have a JSON parser but that's available only post processing for property extraction.

The Stringify() function in typescript doesn't have a sorting option. Your alternative would be to use the Code function to build your own stringifier where you specify the order

How do we do that at the event level? Iterate through __e?

(Code or Eval)

iterating is one option.But since you have a requirement around order, I'd think you'd want to just layout the fields

built the textual json by hand, 1 field at a time

or, dump all the keys, sort them, then loop through that list to build the string

Will try different options but would be great if we could have this option as a feature enhancement.

```try { var ans = "{" var a = Object.keys(__e.f).sort() for (var k in a) { ans = `${ans}"${a[k]}":"${__e.f[a[k]]}",` } __e.ans = ans.replace(/,$/,'}')}catch (e) {__e.debug = e.message}```

of course this may be a problem if your object isn't flat. just a starting point :slightly_smiling_face:

where f is your object you want to sort into a stringified JSON

I'll need to do some testing since the webhook destination dumps the entire event except for the hidden fields. Not sure if it is even possible to sort at the top level.

i guess i'm still not clear then on what the goal is

If the destination supported syslog, I'll just have to modify the host.

With webhooks, it gets a bit tricky

Force order (Code function):(put your desired fields in the `first` array, everything else is included with the `...rest`)```let first = ["ProviderId","ProviderName","MachineName"];let [...rest] = Object.keys(e).filter(key => !first.includes(key) && !key.startsWith(""));const ordered = [...first, ...rest];__e['__httpOut'] = JSON.stringify(ordered.reduce((current, val) => Object.assign(current, {[val]: __e[val]}), {}));```

Then change your webhook settings to use the "Custom" format with `__httpOut` as the expression.

https://docs.cribl.io/stream/destinations-webhook/#general-settings