For sourcetype="WinEventLog:Security the extraction for field Account_Name appears to be prepending a carriage return to the the value. This screws up csv output. Is behavior by design?
to Source Name use
| eval src_name=mvindex(Account_Name, 0)
To Target Name use
| eval src_name=mvindex(Account_Name, 1)
Example:
index=main source="WinEventLog:Security" (EventCode=4720 OR EventCode=4722) Account_Name!="*$" | eval src_name=mvindex(Account_Name,0) | eval tgt_name=mvindex(Account_Name,1) | table src_name, tgt_name