This is really a log4net question but I'm hoping the folks here can help; I have been unsuccessful at searching online for a solution.
We have a custom application which generates local logs in JSON format via the log4net module. We then have a Splunk UF installed to collect said logs. In general that all works fine. The problem is that some log messages include a nested JSON 'message' field -- but log4net is misformatting it as a string and so Splunk doesn't parse the nested part.
You can see the issue (below) where log4net is unnecessarily adding quote-marks around the nested part: