It appears the latest (3.1.1) version of the Splunk TA has fields extracted including the surrounding speech marks.
e.g.
"Attempt Greylisted"
"Policy level Anti-Spoofing applied"
"SPF Sender Invalid"
"Failed Known address verification"
"[MCSpamSignature.r.s.195.344]"
"[MCSpamSignature.r.s.94.219]"
..etc
This is the case for most fields.
upgrade your TA to latest version. latest version TA has got the fix for that.
We know.. we worked with MimeCast to fix it for them 🙂
Just edit the extractions in the local
directory of the app and modify them to not include them.