Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does DBX prepend an escape character to double quotes when pulling JSON-formatted data from a table?

lagnone_splunk
Splunk Employee
Splunk Employee
‎12-05-2014 12:56 PM

My table has a column with JSON-formatted data that looks like this:

{"Message" : {"Field1": 1000, "Field2": 1000, "Field3": 1000, "Field4": 500, "Field5": 200, "Field6": 500, "Field7": 300, "Field8": 500}}

But in Splunk, my raw event is coming in like this:

{\"Message\" : {\"Field1\": 1000, \"Field2\": 1000, \"Field3\": 1000, \"Field4\": 500, \"Field5\": 200, \"Field6\": 500, \"Field7\": 300, \"Field8\": 500}}

Why is this happening and what can I do to correct it?

Tags (3)
Reply

btsay_splunk
Splunk Employee
Splunk Employee
‎12-05-2014 01:54 PM 
DBX double quotes string data by default,  if this string content comes with “ in it, we replace them with \”.

In your case, the json string is with " in it, so they are all converted into \" as expected.

You may use the search language, perhaps as an eval expression, to remove the escape characters:

… | replace “\\""” with “\”” in message |…
… | eval message = replace(message, “\\””, “\”) | …

The advantage of eval statement is that it could be run via props/transforms.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...