<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Making a JSON string for SimData's Event Template in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Making-a-JSON-string-for-SimData-s-Event-Template/m-p/430608#M75362</link>
    <description>&lt;P&gt;I am trying to make events with &lt;STRONG&gt;SimData&lt;/STRONG&gt; that use the json format. The problem comes when I need to make the "template" for the event in &lt;STRONG&gt;SimData&lt;/STRONG&gt; because of all of the double quotes needed for json.&lt;/P&gt;

&lt;P&gt;When I try to escape them, &lt;STRONG&gt;SimData&lt;/STRONG&gt; never gets rid of them:&lt;/P&gt;

&lt;P&gt;Code:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;event WebRequest {
      required: [flow_id, event_type, src_ip, src_port, dest_ip, dest_port, proto];
      //template: "{{_time}} hello world";
      template: "{\"timestamp\": {{_time}}, \"flow_id\": {{flow_id}}, \"event_type\": \"{{event_type}}\", \"src_ip\": \"{{src_ip}}\", \"src_port\": \"{{src_port}}\", \"dest_ip\": \"{{dest_ip}}\", \"dest_port\": \"{{dest_port}}\", \"proto\": \"{{proto}}\"}";
      source: "simdata";
      sourcetype: "suricata";
}
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;What shows in Splunk:&lt;BR /&gt;
&lt;CODE&gt;{\"timestamp\": {{_time}}, \"flow_id\": {{flow_id}}, \"event_type\": \"{{event_type}}\", \"src_ip\": \"{{src_ip}}\", \"src_port\": \"{{src_port}}\", \"dest_ip\": \"{{dest_ip}}\", \"dest_port\": \"{{dest_port}}\", \"proto\": \"{{proto}}\"}&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;I'm sure that you can see that having \ everywhere is a problem. I honestly think this may be an error on the side of &lt;STRONG&gt;SimData&lt;/STRONG&gt; not sanitizing data before sending it off to the HEC because when you print the same event to the console with the 'Text' transport then there are no \" because when printing Java makes sure to take care of that.&lt;/P&gt;

&lt;P&gt;Does anyone have a current workaround for this, or am I just crazy and can't figure out how to do this correctly?&lt;/P&gt;

&lt;P&gt;Thanks for your time.&lt;/P&gt;</description>
    <pubDate>Fri, 19 Oct 2018 12:26:12 GMT</pubDate>
    <dc:creator>colbym1</dc:creator>
    <dc:date>2018-10-19T12:26:12Z</dc:date>
    <item>
      <title>Making a JSON string for SimData's Event Template</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Making-a-JSON-string-for-SimData-s-Event-Template/m-p/430608#M75362</link>
      <description>&lt;P&gt;I am trying to make events with &lt;STRONG&gt;SimData&lt;/STRONG&gt; that use the json format. The problem comes when I need to make the "template" for the event in &lt;STRONG&gt;SimData&lt;/STRONG&gt; because of all of the double quotes needed for json.&lt;/P&gt;

&lt;P&gt;When I try to escape them, &lt;STRONG&gt;SimData&lt;/STRONG&gt; never gets rid of them:&lt;/P&gt;

&lt;P&gt;Code:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;event WebRequest {
      required: [flow_id, event_type, src_ip, src_port, dest_ip, dest_port, proto];
      //template: "{{_time}} hello world";
      template: "{\"timestamp\": {{_time}}, \"flow_id\": {{flow_id}}, \"event_type\": \"{{event_type}}\", \"src_ip\": \"{{src_ip}}\", \"src_port\": \"{{src_port}}\", \"dest_ip\": \"{{dest_ip}}\", \"dest_port\": \"{{dest_port}}\", \"proto\": \"{{proto}}\"}";
      source: "simdata";
      sourcetype: "suricata";
}
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;What shows in Splunk:&lt;BR /&gt;
&lt;CODE&gt;{\"timestamp\": {{_time}}, \"flow_id\": {{flow_id}}, \"event_type\": \"{{event_type}}\", \"src_ip\": \"{{src_ip}}\", \"src_port\": \"{{src_port}}\", \"dest_ip\": \"{{dest_ip}}\", \"dest_port\": \"{{dest_port}}\", \"proto\": \"{{proto}}\"}&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;I'm sure that you can see that having \ everywhere is a problem. I honestly think this may be an error on the side of &lt;STRONG&gt;SimData&lt;/STRONG&gt; not sanitizing data before sending it off to the HEC because when you print the same event to the console with the 'Text' transport then there are no \" because when printing Java makes sure to take care of that.&lt;/P&gt;

&lt;P&gt;Does anyone have a current workaround for this, or am I just crazy and can't figure out how to do this correctly?&lt;/P&gt;

&lt;P&gt;Thanks for your time.&lt;/P&gt;</description>
      <pubDate>Fri, 19 Oct 2018 12:26:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Making-a-JSON-string-for-SimData-s-Event-Template/m-p/430608#M75362</guid>
      <dc:creator>colbym1</dc:creator>
      <dc:date>2018-10-19T12:26:12Z</dc:date>
    </item>
    <item>
      <title>Re: Making a JSON string for SimData's Event Template</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Making-a-JSON-string-for-SimData-s-Event-Template/m-p/430609#M75363</link>
      <description>&lt;P&gt;So, I have been working with the Splunk team on this. The docs should reflect this now, but what I learned is that if you are using json format then just don't use a template. SimData will automatically put the data in json format just based on the required values you provide...&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;event TicketPlaced {
      required: [item, place, time];
      source: "https://foo.com/";
      sourcetype: "foo";
}
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;will give you:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;{
   "item": item,
   "place": place,
   "time": time
}
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 06 Nov 2018 17:51:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Making-a-JSON-string-for-SimData-s-Event-Template/m-p/430609#M75363</guid>
      <dc:creator>colbym1</dc:creator>
      <dc:date>2018-11-06T17:51:07Z</dc:date>
    </item>
  </channel>
</rss>

