Splunk Search

Why does transaction command seems to be encoding characters?

jplasencia
Engager

Hello all, 

This is my first post here. I have been learning Splunk over the past few months and I am loving it.  I am running in to an interesting issue. 

I am using the transaction command to group events together.  An example of the queries below:

index::web ealiest=-30m
| transaction maxspan=3s

result: 

STARTED RECORD UPDATE: {"update"=>"contacts", "ordered"=>true, "updates"=>[{"q"=>{"_id"=>BSON::ObjectId('123456789')}

COMPLETED record update {"status": 200}

But if I append a table command to display the _raw field some of the characters are automatically encoded, as shown below:

index::web ealiest=-30m
| transaction maxspan=3s
| table _raw

result:


STARTED RECORD UPDATE: {"update"=>"contacts", "ordered"=>true, "updates"=>[{"q"=>{"_id"=>BSON::ObjectId('123456789')}

COMPLETED record update {&quotstatus&quot: 200}

 

I tried recreating this behavior by using makeresults, but in that case it works as I would expect. Does anyone have an idea of why this might be happening? 

 

Thanks,

Julio

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Notification Email Migration Announcement

The Notification Team is migrating our email service provider from Postmark to AWS Simple Email Service (SES) ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...