My table has a column with JSON-formatted data that looks like this:
{"Message" : {"Field1": 1000, "Field2": 1000, "Field3": 1000, "Field4": 500, "Field5": 200, "Field6": 500, "Field7": 300, "Field8": 500}}
But in Splunk, my raw event is coming in like this:
{\"Message\" : {\"Field1\": 1000, \"Field2\": 1000, \"Field3\": 1000, \"Field4\": 500, \"Field5\": 200, \"Field6\": 500, \"Field7\": 300, \"Field8\": 500}}
Why is this happening and what can I do to correct it?
DBX double quotes string data by default, if this string content comes with “ in it, we replace them with \”.
In your case, the json string is with " in it, so they are all converted into \" as expected.
You may use the search language, perhaps as an eval expression, to remove the escape characters:
… | replace “\\""” with “\”” in message |…
… | eval message = replace(message, “\\””, “\”) | …
The advantage of eval statement is that it could be run via props/transforms.