topic Re: Why does DBX prepend an escape character to double quotes when pulling JSON-formatted data from a table? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Why-does-DBX-prepend-an-escape-character-to-double-quotes-when/m-p/146122#M29766 <PRE><CODE>DBX double quotes string data by default, if this string content comes with “ in it, we replace them with \”. In your case, the json string is with " in it, so they are all converted into \" as expected. You may use the search language, perhaps as an eval expression, to remove the escape characters: … | replace “\\""” with “\”” in message |… … | eval message = replace(message, “\\””, “\”) | … The advantage of eval statement is that it could be run via props/transforms. </CODE></PRE> Fri, 05 Dec 2014 21:54:34 GMT btsay_splunk 2014-12-05T21:54:34Z Why does DBX prepend an escape character to double quotes when pulling JSON-formatted data from a table? https://community.splunk.com/t5/Getting-Data-In/Why-does-DBX-prepend-an-escape-character-to-double-quotes-when/m-p/146121#M29765 <P>My table has a column with JSON-formatted data that looks like this:</P> <PRE><CODE>{"Message" : {"Field1": 1000, "Field2": 1000, "Field3": 1000, "Field4": 500, "Field5": 200, "Field6": 500, "Field7": 300, "Field8": 500}} </CODE></PRE> <P>But in Splunk, my raw event is coming in like this:</P> <PRE><CODE>{\"Message\" : {\"Field1\": 1000, \"Field2\": 1000, \"Field3\": 1000, \"Field4\": 500, \"Field5\": 200, \"Field6\": 500, \"Field7\": 300, \"Field8\": 500}} </CODE></PRE> <P>Why is this happening and what can I do to correct it?</P> Fri, 05 Dec 2014 20:56:20 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-DBX-prepend-an-escape-character-to-double-quotes-when/m-p/146121#M29765 lagnone_splunk 2014-12-05T20:56:20Z Re: Why does DBX prepend an escape character to double quotes when pulling JSON-formatted data from a table? https://community.splunk.com/t5/Getting-Data-In/Why-does-DBX-prepend-an-escape-character-to-double-quotes-when/m-p/146122#M29766 <PRE><CODE>DBX double quotes string data by default, if this string content comes with “ in it, we replace them with \”. In your case, the json string is with " in it, so they are all converted into \" as expected. You may use the search language, perhaps as an eval expression, to remove the escape characters: … | replace “\\""” with “\”” in message |… … | eval message = replace(message, “\\””, “\”) | … The advantage of eval statement is that it could be run via props/transforms. </CODE></PRE> Fri, 05 Dec 2014 21:54:34 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-DBX-prepend-an-escape-character-to-double-quotes-when/m-p/146122#M29766 btsay_splunk 2014-12-05T21:54:34Z