I found the answer by myself.
There are actually two approaches/methods you can solve this issue:
1. approach is escape the doubleqoute the right way which is \"" instead of ". This leads to the following search:
splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, \""; \"") | eval Account_Name=mvjoin(Account_Name, \""; \"") | eval Security_ID=mvjoin(Security_ID, \""; \"") | eval Logon_ID=mvjoin(Logon_ID, \""; \"") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc
2 approach (i guess the better way) is to use the so called calculated fields:
See this page (reference)
so your $SPLUNK_HOME/etc/system/local/props.conf has to look like this:
ACC-DOMAIN = eval(Account_Domain = mvjoin(Account_Domain, "; ")
You add a calculated field for each of the desired fields that have the linefeed in it.
... View more