I have data being fed into Splunk from a log file in json format. Currently it is not extracting any of the fields from below. Any suggestions on how to get this parsed correctly? I am fairly new to this. Thanks in advance.
1 2017-01-27T13:36:36.95-08:00 SERVER Malwarebytes-Endpoint-Security 1848 - - {\"security_log\":{\"client_id\":\"16041d03-c24a-4d75-a4e8-592923cff7f0\",\"host_name\":\"XXX-WIN7-X64-2\",\"domain\":\"xxx.xxx.com\",\"mac_address\":\"00-0C-29-xx-xx-xx\",\"ip_address\":\"xxx.xxx.xxx.xx\",\"time\":\"2017-01-27T13:36:32-08:00\",\"threat_level\":\"Moderate\",\"object_type\":\"FileSystem\",\"object\":\"C:\\\\Users\\\\user\\\\AppData\\\\LocalLow\\\\AskToolbar\\\\cache.dat\",\"threat_name\":\"PUP.Optional.ASK\",\"action\":\"Quarantine\",\"operation\":\"QUARANTINE\",\"resolved\":true,\"logon_user\":\"\",\"data\":\"data\",\"description\":\"No description\",\"source\":\"MBAM\",\"payload\":null,\"payload_url\":null,\"payload_process\":null,\"application_path\":null,\"application\":null}}
The fields are not automatically extracted as your data is not a pure json. in fact if all double quotes are escaped like in the question, it's not even json. If the escaped double quotes are just appearing in question and not in actual data, you can method specified in this link to extract fields in-line in search.
https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs.html