I only want to see the added key=value pairs below the raw data, not together with the raw data.

When i tried adding the raw data and the key=value pairs to the content body of rest http request like this using java rest sdk api,
reqMsg.setContent("rawdata1 - hater = yes, nothater = no");

i see this added on the search app.
rawdata1 - hater = yes, nothater = no
(for the added raw data value)
the new fields hater and nohater are added below the raw field.

I just want the rawdata1 as the raw data value. Has it to be done using Java logging framework if i'm using java.

Then, When i opened the search app to see the added data, i saw both the new fields and the raw data which is the key=value pairs that i set directly added.

I set the key=value pairs into the body of the REST HTTP request directly using Java REST SDK API. Example :
RequestMessage reqMsg = new RequestMessage();
reqMsg.setMethod("post");
reqMsg.getHeader().put("x-splunk-input-mode", "streaming");
reqMsg.setContent("hater = yes, nothater = no");
Then i send the message to the simple reciever rest endpoint.
String path = "/services/receivers/simple?host=localhost&index=main&source=addfields&sourcetype=addedfields";
ResponseMessage resMsg = authService.send(path,reqMsg);

Never mind. Thanks.

Ok, can't help you with how the logback framework works. Sorry.

I wanted to format the log message into key value pairs using logback framework and append the log message to the Splunk rest receivers endpoint. I'm doing these all in java I wanted to append the formatted log message to an outputstream appender and get an outputstream object to be sent to the splunk's rest recievers stream endpoint.

I'm wanted to format the log message with sample key value pairs like this.
logger.debug("wrap = true, setValue = false,")

I don't know what socket appenders you are talking about.

I still think the best idea for you would be to show as a complete case what you're trying to achieve, with example data and an actual use-case, rather than asking about small details one at a time. But, that's just me.

I have been looking through logback and i would like to ask for the log message formatted with key=value pairs, they are sent to the Splunk endpoint by socket appenders. Is that right?

You could format it any way you want. Splunk only extracts keys and values automatically if they follow the key=value standard, but if you format it differently it's just a matter of creating field extractions for your specific log format instead.

What are the other ways to format the log message?

No, it is simply a framework to make it easier for you.

Is it necessary to format the log message using the Splunk logging framework?

I mean in the same place the data of the event is sent, not as extra parameters

Are you sure? It didn't work.
I appended the key value pairs in the REST API endpoint url. I appended the source and sourcetype and they appear during the search, but not the additional fields that i created.