I have log4j properties file and when I try to put logs on splunk I see triple backslashes
{\\\"v\\\":\\\"1.0\\\",\\\"category\\\":\\\"APP\\\",\\\"level\\\":\\\"INFO\\\",\\\"timeStamp\\\"
is that a splunk or can I modify that in log4j properties, so no \\\ is displayed?
Thank you
Splunk won't add escape characters such as \\\, so I believe the issue is with the properties file. Open it in an editor and confirm if that is the case.
That said, you can remove these characters when ingesting into Splunk, if you aren't able to remove the characters at the source.
In a Splunk props.conf file, you can include the following. This will remove any \\\ in files that are ingested with the filename extension .properties.
[source::.../*.properties]
SEDCMD-clean-log4j = s/\\\\\\//
You can see the documentation for props.conf at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration
If you are looking at Java logging, I suggest you look at one of the Splunk supported loggers(which included log4j) at https://github.com/splunk/splunk-library-javalogging .
