Hello all, 

This is my first post here. I have been learning Splunk over the past few months and I am loving it.  I am running in to an interesting issue. 

I am using the transaction command to group events together.  An example of the queries below:

index::web ealiest=-30m
| transaction maxspan=3s

result: 

STARTED RECORD UPDATE: {"update"=>"contacts", "ordered"=>true, "updates"=>[{"q"=>{"_id"=>BSON::ObjectId('123456789')}

COMPLETED record update {"status": 200}

But if I append a table command to display the _raw field some of the characters are automatically encoded, as shown below:

index::web ealiest=-30m
| transaction maxspan=3s
| table _raw

result:

STARTED RECORD UPDATE: {"update"=>"contacts", "ordered"=>true, "updates"=>[{"q"=>{"_id"=>BSON::ObjectId('123456789')}

COMPLETED record update {&quotstatus&quot: 200}

I tried recreating this behavior by using makeresults, but in that case it works as I would expect. Does anyone have an idea of why this might be happening? 

Thanks,

Julio