I need your help to understand and to solve an issue we discovered with Splunk. This issue seems to be a limitation or a bug of Splunk Enterprise :
We work with microsoft sysmon data, and sometimes we have events with the value of a command executed in prompt. Splunk reports the exact value of the command executed in the raw event :
And the value extracted by Splunk for the field CommandLine is the following :
However, when I want to display the CommandLine field in a table or a stats table, then I get that. See the last row of the table for our CommandLine example :
Splunk replaces my quotes by HTML encoded charactersin the table.
However, the strange thing is not that Splunk replaces everytime special characters by HTML character, Splunk only replaces the special character by HTML characters for some commands executed. Just check the examples below to understand the issue :
Depending on whether we use some texts that Splunk seems to do not like or not, Splunk will encode my special characters in the table or not. The texts in the command executed, that generates the Splunk HTML encoding in table or stats are the followings :
Otherwise, if I put another text, in the command like "blablascript:" or "script:" I do not have the issue.
Could someone please help us to understand from where this issue may come ? Is it a Splunk limitation/bug or just something that we need to configure somewhere ?