- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Splunk Raw text showing backslashes before double ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am using log4j2 & splunk-library-javalogging to log event(data) to SplunkHEC HTTP Event Collector.
My event(data) is typically JSON objects containing key value pairs.
Below is how it looks in Splunk (Syntax Highlighted format). This looks good.
{ [-]
logger: tlrSplunkLogger
message: {"event":"data has " double quotes "}
severity: INFO
thread: main
}
But when I view in Raw text format, it looks below:
{"severity":"INFO","logger":"tlrSplunkLogger","thread":"main","message":"{\"event\":\"data has \" double quotes \"}"}
Note the backslashes before double quotes e,g, \"event\"
In above event(data) their is a key named "Message" and its value starts with double quotes(") due to this all contents containing double quotes are escaped like \"event\"
Is this the default/correct behaviour in Splunk?
Can I somehow do anything before/while logging event(data) to Splunk so as backslashes are not present in raw text?
I tried lot of things from JSONLayout to encode data, so as, raw text do not have backslashes but nothing worked.
Does this need to taken care on Splunk side?
Any information on this would he highly appreciated.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the solutions.
After debugging lot of code I found out the issue.
splunk-library-javalogging(1.5.3) internally uses library json-simple-1.1.1 jar for converting JSONObject to string and vice versa.
The JSONObject's toString method has a bug which puts an escape character.
If we fetch the value of JSONObject with the help of get(key) method it is correct but toString method messes the data.
Due to above bug I took another approach of consuming SplunkHEC through apache HTTPAsyncClient which works fine.
Thanks,
Aditya
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the solutions.
After debugging lot of code I found out the issue.
splunk-library-javalogging(1.5.3) internally uses library json-simple-1.1.1 jar for converting JSONObject to string and vice versa.
The JSONObject's toString method has a bug which puts an escape character.
If we fetch the value of JSONObject with the help of get(key) method it is correct but toString method messes the data.
Due to above bug I took another approach of consuming SplunkHEC through apache HTTPAsyncClient which works fine.
Thanks,
Aditya
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, @gaikwadaditya. If your problem is resolved, please accept the answer to help future readers.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is the field extraction working fine?
You can refer the following doc:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Transformsconf
And use parameter FORMAT
Let me know if this helps!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you share sample data before indexing?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
