Getting Data In

HTTP Event Collector: Why are double quotes not escaped for a properly formatted JSON string?

unclethan
Path Finder

A properly formatted JSON string will escape the double quotes. However the HEC does not translate that accordingly.

e.g JSON message to HEC: {"event":"somefield=\"a value with spaces\""}
the value for somefield is \"a value with spaces\"
when it should have the value a value with spaces

Any information on how to rectify this would be appreciated.

1 Solution

gblock_splunk
Splunk Employee
Splunk Employee

This is fixed in the next version of Splunk, 6.4 which will be shipping very soon.

View solution in original post

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

This is fixed in the next version of Splunk, 6.4 which will be shipping very soon.

0 Karma

IdoTwiggle
Engager

Hi,

We're currently using Splunk version 6.4.1 and still experiencing this bug.
Can you verify if / on what version was it fixed to let us know what version should we upgrade to?

Thanks,
Ido

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...