Is there a way to order/sort the JSON keys prior to hitting the destination? I thought prepending the key names with an underscore would bring them on the top but they show up at the bottom of the JSON structure. The ordering looks the way we want it in the pipeline view but come out differently in the actually output.
Page 1 / 2
you can probably do it with regex or other hacks but note that JSON, unlike CSV or some others, is not positional.
Python has sort_keys param. So nothing like this in JS/cribl?https://www.w3schools.com/python/gloss_python_json_sort.asp
We have a regex on the destination side to parse the source identifier and that coming towards the end makes our regex expensive.
if you're using regex, do you need JSON? Maybe switch you K=V or CSV, where you can specify order.
Yes we need JSON. Our SIEM parser is only compatible with JSON for this specific source (Azure).
but requires regex?
correct
SIEM does have a JSON parser but that's available only post processing for property extraction.
The Stringify() function in typescript doesn't have a sorting option. Your alternative would be to use the Code function to build your own stringifier where you specify the order
How do we do that at the event level? Iterate through __e?
(Code or Eval)
iterating is one option.But since you have a requirement around order, I'd think you'd want to just layout the fields
built the textual json by hand, 1 field at a time
or, dump all the keys, sort them, then loop through that list to build the string
Will try different options but would be great if we could have this option as a feature enhancement.
```try { var ans = "{" var a = Object.keys(__e.f).sort() for (var k in a) { ans = `${ans}"${a[k]}":"${__e.f[a[k]]}",` } __e.ans = ans.replace(/,$/,'}')}catch (e) {__e.debug = e.message}```
of course this may be a problem if your object isn't flat. just a starting point 
where f is your object you want to sort into a stringified JSON
I'll need to do some testing since the webhook destination dumps the entire event except for the hidden fields. Not sure if it is even possible to sort at the top level.
i guess i'm still not clear then on what the goal is 
If the destination supported syslog, I'll just have to modify the host.
With webhooks, it gets a bit tricky
Force order (Code function):(put your desired fields in the `first` array, everything else is included with the `...rest`)```let first = ["ProviderId","ProviderName","MachineName"];let [...rest] = Object.keys(e).filter(key => !first.includes(key) && !key.startsWith(""));const ordered = [...first, ...rest];__e['__httpOut'] = JSON.stringify(ordered.reduce((current, val) => Object.assign(current, {[val]: __e[val]}), {}));```
Then change your webhook settings to use the "Custom" format with `__httpOut` as the expression.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.