Hi,
I am using log4j2 & splunk-library-javalogging to log event(data) to SplunkHEC HTTP Event Collector.
My event(data) is typically JSON objects containing key value pairs.
Below is how it looks in Splunk (Syntax Highlighted format). This looks good.
{ [-]
logger: tlrSplunkLogger
message: {"event":"data has " double quotes "}
severity: INFO
thread: main
}
But when I view in Raw text format, it looks below:
{"severity":"INFO","logger":"tlrSplunkLogger","thread":"main","message":"{\"event\":\"data has \" double quotes \"}"}
Note the backslashes before double quotes e,g, \"event\"
In above event(data) their is a key named "Message" and its value starts with double quotes(") due to this all contents containing double quotes are escaped like \"event\"
Is this the default/correct behaviour in Splunk?
Can I somehow do anything before/while logging event(data) to Splunk so as backslashes are not present in raw text?
I tried lot of things from JSONLayout to encode data, so as, raw text do not have backslashes but nothing worked.
Does this need to taken care on Splunk side?
Any information on this would he highly appreciated.
Thanks.
Hi,
Thanks for the solutions.
After debugging lot of code I found out the issue.
splunk-library-javalogging(1.5.3) internally uses library json-simple-1.1.1 jar for converting JSONObject to string and vice versa.
The JSONObject's toString method has a bug which puts an escape character.
If we fetch the value of JSONObject with the help of get(key) method it is correct but toString method messes the data.
Due to above bug I took another approach of consuming SplunkHEC through apache HTTPAsyncClient which works fine.
Thanks,
Aditya
Hi,
Thanks for the solutions.
After debugging lot of code I found out the issue.
splunk-library-javalogging(1.5.3) internally uses library json-simple-1.1.1 jar for converting JSONObject to string and vice versa.
The JSONObject's toString method has a bug which puts an escape character.
If we fetch the value of JSONObject with the help of get(key) method it is correct but toString method messes the data.
Due to above bug I took another approach of consuming SplunkHEC through apache HTTPAsyncClient which works fine.
Thanks,
Aditya
Hi, @gaikwadaditya. If your problem is resolved, please accept the answer to help future readers.
Hi,
Is the field extraction working fine?
You can refer the following doc:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Transformsconf
And use parameter FORMAT
Let me know if this helps!!
Hi,
Can you share sample data before indexing?