This is really a log4net question but I'm hoping the folks here can help; I have been unsuccessful at searching online for a solution.
-----------------
We have a custom application which generates local logs in JSON format via the log4net module. We then have a Splunk UF installed to collect said logs. In general that all works fine. The problem is that some log messages include a nested JSON 'message' field -- but log4net is misformatting it as a string and so Splunk doesn't parse the nested part.
You can see the issue (below) where log4net is unnecessarily adding quote-marks around the nested part:
CURRENT/INVALID
"message":"{"command":"Transform271ToBenefitResponse","ms":1}"
PROPER
"message":{"command":"Transform271ToBenefitResponse","ms":1}
--------------------------
I'm not entirely sure of the log4net configuration but here's what I was told by one of our developers:
ORIGINAL LOG4NET CONFIG
<conversionPattern value="%utcdate [%property{CorrelationId}] [%property{companyId}] [%property{userId}] [%thread] [%level] %logger - %message%newline" />
UPDATED CONFIG; STILL FAILS
<conversionPattern value="{"date":"%date{ISO8601}", "correlationId":"%property{CorrelationId}", "companyId":"%property{companyId}", "userId":"%property{userId}", "thread":"%thread", "level":"%level", "logger":"%logger", "message":"%message"}%newline" />