Getting Data In

Why is there a carriage return appended to the WMI Account_Name field?

ehoward
Path Finder

For sourcetype="WinEventLog:Security the extraction for field Account_Name appears to be prepending a carriage return to the the value. This screws up csv output. Is behavior by design?

0 Karma

erick_costa
Path Finder

to Source Name use
| eval src_name=mvindex(Account_Name, 0)

To Target Name use
| eval src_name=mvindex(Account_Name, 1)

Example:
index=main source="WinEventLog:Security" (EventCode=4720 OR EventCode=4722) Account_Name!="*$" | eval src_name=mvindex(Account_Name,0) | eval tgt_name=mvindex(Account_Name,1) | table src_name, tgt_name

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...