Splunk Search

Why does transaction command seems to be encoding characters?

jplasencia
Explorer

Hello all, 

This is my first post here. I have been learning Splunk over the past few months and I am loving it.  I am running in to an interesting issue. 

I am using the transaction command to group events together.  An example of the queries below:

index::web ealiest=-30m
| transaction maxspan=3s

result: 

STARTED RECORD UPDATE: {"update"=>"contacts", "ordered"=>true, "updates"=>[{"q"=>{"_id"=>BSON::ObjectId('123456789')}

COMPLETED record update {"status": 200}

But if I append a table command to display the _raw field some of the characters are automatically encoded, as shown below:

index::web ealiest=-30m
| transaction maxspan=3s
| table _raw

result:


STARTED RECORD UPDATE: {"update"=>"contacts", "ordered"=>true, "updates"=>[{"q"=>{"_id"=>BSON::ObjectId('123456789')}

COMPLETED record update {&quotstatus&quot: 200}

 

I tried recreating this behavior by using makeresults, but in that case it works as I would expect. Does anyone have an idea of why this might be happening? 

 

Thanks,

Julio

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...