I'm trying to figure out a way to extract values where the field has multiple spaces in it.
When I do a simple search and click on the field on the left (so it's populated by Splunk automatically) :
source="WinEventLog:Security" | top limit=20 "Nom du compte "
Everything works fine. But as soon as I try to do a more complex search with eval or most of other commands my search doesn't bring up any results because it considers it as a different field. I tried changing to simple quote, removing the last space etc...
Problem is I can't even use rename to try to add underscore in between words.
Anyone has an idea bout this ?
Old post but I ran into the same problem.
The trailing "space" character actually ended up being ASCII 160/non-breaking space.
At first I couldn't quite see that when I tried exporting raw or CSV or copying from anywhere it is displayed on screen.. but you can get at it if you click on one of the results fields and have Splunk add to search. Once it is in there you can copy/paste it, but now that you know you can enter it with ALT+0160.
Octal 160 ...
This would appear to stem from a peculiarly French punctuation rule where there is a set of punctuation marks, such as the colon, that WILL get a preceding NBSP. And, as far as I can tell, NBSP is NOT in the set of characters that make up the \s in a regex, hence it appears as the last character of the field name. Does it hurt yet?
The rule only applies to Continental French, not Canadian French ... and MS are honoring this rule in the Windows Event logs.
It works like this. But it seems more like a bug because the command above with"top" works fine but this one won't even generate de field Nomducompte :
source="WinEventLog:Security" | rename "Nom du compte" as Nomducompte | eval type_event=coalesce(TaskCategory,CategoryString) | eval description=coalesce(Keywords,Type) | replace "Success Audit" with "Succès de l’audit", "Audit Success" with "Succès de l’audit", "Audit Failure" with "Échec de l’audit", "Failure Audit" with "Échec de l’audit" in description | search description="Échec de l’audit"
In eval you need to enclose non-alphanumeric identifiers, ie ones containing spaces or dots or other nonsense, in single quotes:
source="WinEventLog:Security" | eval foo = 'Nom du compte '
Alternatively, define a field alias or your own regex-based extraction that assigns a reasonable name from the get-go.
Yes regex would be the solution but that field 'Nom du compte ' appears twice in the log sent by Windows. I'm not good enough to write the regex and the erex command isn't working too well to find that second field.