This is really a log4net question but I'm hoping the folks here can help; I have been unsuccessful at searching online for a solution.

-----------------

We have a custom application which generates local logs in JSON format via the log4net module. We then have a Splunk UF installed to collect said logs. In general that all works fine. The problem is that some log messages include a nested JSON 'message' field -- but log4net is misformatting it as a string and so Splunk doesn't parse the nested part.

You can see the issue (below) where log4net is unnecessarily adding quote-marks around the nested part:

CURRENT/INVALID

"message":"{"command":"Transform271ToBenefitResponse","ms":1}"

PROPER

"message":{"command":"Transform271ToBenefitResponse","ms":1}

--------------------------

I'm not entirely sure of the log4net configuration but here's what I was told by one of our developers:

ORIGINAL LOG4NET CONFIG

<conversionPattern value="%utcdate [%property{CorrelationId}] [%property{companyId}] [%property{userId}] [%thread] [%level] %logger - %message%newline" />

UPDATED CONFIG; STILL FAILS

<conversionPattern value="{&quot;date&quot;:&quot;%date{ISO8601}&quot;, &quot;correlationId&quot;:&quot;%property{CorrelationId}&quot;, &quot;companyId&quot;:&quot;%property{companyId}&quot;, &quot;userId&quot;:&quot;%property{userId}&quot;, &quot;thread&quot;:&quot;%thread&quot;, &quot;level&quot;:&quot;%level&quot;, &quot;logger&quot;:&quot;%logger&quot;, &quot;message&quot;:&quot;%message&quot;}%newline" />