Hi,
I am using log4j2 & splunk-library-javalogging to log event(data) to SplunkHEC HTTP Event Collector.
My event(data) is typically JSON objects containing key value pairs.
Below is how it looks in Splunk (Syntax Highlighted format). This looks good.
{ [-]
logger: tlrSplunkLogger
message: {"event":"data has " double quotes "}
severity: INFO
thread: main
}
But when I view in Raw text format, it looks below:
{"severity":"INFO","logger":"tlrSplunkLogger","thread":"main","message":"{\"event\":\"data has \" double quotes \"}"}
Note the backslashes before double quotes e,g, \"event\"
In above event(data) their is a key named "Message" and its value starts with double quotes(") due to this all contents containing double quotes are escaped like \"event\"
Is this the default/correct behaviour in Splunk?
Can I somehow do anything before/while logging event(data) to Splunk so as backslashes are not present in raw text?
I tried lot of things from JSONLayout to encode data, so as, raw text do not have backslashes but nothing worked.
Does this need to taken care on Splunk side?
Any information on this would he highly appreciated.
Thanks.
... View more