Getting Data In

how to configure log4net with nested JSON?

Path Finder

This is really a log4net question but I'm hoping the folks here can help; I have been unsuccessful at searching online for a solution.


We have a custom application which generates local logs in JSON format via the log4net module. We then have a Splunk UF installed to collect said logs. In general that all works fine. The problem is that some log messages include a nested JSON 'message' field -- but log4net is misformatting it as a string and so Splunk doesn't parse the nested part.

You can see the issue (below) where log4net is unnecessarily adding quote-marks around the nested part:










I'm not entirely sure of the log4net configuration but here's what I was told by one of our developers:


<conversionPattern value="%utcdate [%property{CorrelationId}] [%property{companyId}] [%property{userId}] [%thread] [%level] %logger - %message%newline" />


<conversionPattern value="{&quot;date&quot;:&quot;%date{ISO8601}&quot;, &quot;correlationId&quot;:&quot;%property{CorrelationId}&quot;, &quot;companyId&quot;:&quot;%property{companyId}&quot;, &quot;userId&quot;:&quot;%property{userId}&quot;, &quot;thread&quot;:&quot;%thread&quot;, &quot;level&quot;:&quot;%level&quot;, &quot;logger&quot;:&quot;%logger&quot;, &quot;message&quot;:&quot;%message&quot;}%newline" />









Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...