topic Re: Splunk Raw text showing backslashes before double quotes in event data in Splunk Dev

Splunk Raw text showing backslashes before double quotes in event data

gaikwadaditya — Wed, 07 Mar 2018 07:19:00 GMT

Hi,

I am using log4j2 & splunk-library-javalogging to log event(data) to SplunkHEC HTTP Event Collector.

My event(data) is typically JSON objects containing key value pairs.

Below is how it looks in Splunk (Syntax Highlighted format). This looks good.
{ [-]
logger: tlrSplunkLogger

message: {"event":"data has " double quotes "}

severity: INFO

thread: main

}

But when I view in Raw text format, it looks below:
{"severity":"INFO","logger":"tlrSplunkLogger","thread":"main","message":"{\"event\":\"data has \" double quotes \"}"}

Note the backslashes before double quotes e,g, \"event\"
In above event(data) their is a key named "Message" and its value starts with double quotes(") due to this all contents containing double quotes are escaped like \"event\"
Is this the default/correct behaviour in Splunk?
Can I somehow do anything before/while logging event(data) to Splunk so as backslashes are not present in raw text?
I tried lot of things from JSONLayout to encode data, so as, raw text do not have backslashes but nothing worked.
Does this need to taken care on Splunk side?

Any information on this would he highly appreciated.

Thanks.

Re: Splunk Raw text showing backslashes before double quotes in event data

p_gurav — Fri, 09 Mar 2018 06:47:05 GMT

Hi,

Can you share sample data before indexing?

Re: Splunk Raw text showing backslashes before double quotes in event data

deepashri_123 — Fri, 09 Mar 2018 07:20:50 GMT

Hi,

Is the field extraction working fine?
You can refer the following doc:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Transformsconf
And use parameter FORMAT
Let me know if this helps!!

Re: Splunk Raw text showing backslashes before double quotes in event data

gaikwadaditya — Mon, 12 Mar 2018 08:57:24 GMT

Hi,

Thanks for the solutions.

After debugging lot of code I found out the issue.

splunk-library-javalogging(1.5.3) internally uses library json-simple-1.1.1 jar for converting JSONObject to string and vice versa.

The JSONObject's toString method has a bug which puts an escape character.

If we fetch the value of JSONObject with the help of get(key) method it is correct but toString method messes the data.

Due to above bug I took another approach of consuming SplunkHEC through apache HTTPAsyncClient which works fine.

Thanks,
Aditya

Re: Splunk Raw text showing backslashes before double quotes in event data

richgalloway — Mon, 12 Mar 2018 12:36:15 GMT

Hi, @gaikwadaditya. If your problem is resolved, please accept the answer to help future readers.