Hello all,
This is my first post here. I have been learning Splunk over the past few months and I am loving it. I am running in to an interesting issue.
I am using the transaction command to group events together. An example of the queries below:
index::web ealiest=-30m | transaction maxspan=3s
result:
STARTED RECORD UPDATE: {"update"=>"contacts", "ordered"=>true, "updates"=>[{"q"=>{"_id"=>BSON::ObjectId('123456789')} COMPLETED record update {"status": 200}
But if I append a table command to display the _raw field some of the characters are automatically encoded, as shown below:
index::web ealiest=-30m | transaction maxspan=3s | table _raw
result:
STARTED RECORD UPDATE: {"update"=>"contacts", "ordered"=>true, "updates"=>[{"q"=>{"_id"=>BSON::ObjectId('123456789')}
COMPLETED record update {"status": 200}
I tried recreating this behavior by using makeresults, but in that case it works as I would expect. Does anyone have an idea of why this might be happening?
Thanks,
Julio
... View more