Getting Data In

Why is there a carriage return appended to the WMI Account_Name field?

Path Finder

For sourcetype="WinEventLog:Security the extraction for field Account_Name appears to be prepending a carriage return to the the value. This screws up csv output. Is behavior by design?

0 Karma

Path Finder

to Source Name use
| eval srcname=mvindex(AccountName, 0)

To Target Name use
| eval srcname=mvindex(AccountName, 1)

Example:
index=main source="WinEventLog:Security" (EventCode=4720 OR EventCode=4722) AccountName!="*$" | eval srcname=mvindex(AccountName,0) | eval tgtname=mvindex(AccountName,1) | table srcname, tgt_name

0 Karma