Getting Data In

Why is there a carriage return appended to the WMI Account_Name field?

ehoward
Path Finder

For sourcetype="WinEventLog:Security the extraction for field Account_Name appears to be prepending a carriage return to the the value. This screws up csv output. Is behavior by design?

0 Karma

erick_costa
Path Finder

to Source Name use
| eval src_name=mvindex(Account_Name, 0)

To Target Name use
| eval src_name=mvindex(Account_Name, 1)

Example:
index=main source="WinEventLog:Security" (EventCode=4720 OR EventCode=4722) Account_Name!="*$" | eval src_name=mvindex(Account_Name,0) | eval tgt_name=mvindex(Account_Name,1) | table src_name, tgt_name

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...