Hi all,
I'm currently trying to run a search within cli (which works perfectly on the webgui).
The search is the following:
sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, "; ") | eval Account_Name=mvjoin(Account_Name, "; ") | eval Security_ID=mvjoin(Security_ID, "; ") | eval Logon_ID=mvjoin(Logon_ID, "; ") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc
Note: I am using the eval function to join multiple values that appear in one field in order to remove "line feeds" (because my goal is to export to csv).
In Windows PowerShell I run the following command:
splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, `"; `") | eval Account_Name=mvjoin(Account_Name, `"; `") | eval Security_ID=mvjoin(Security_ID, `"; `") | eval Logon_ID=mvjoin(Logon_ID, `"; `") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc
Please note that the command would work perfectly if the eval functions are left out. But i need them to achieve my goal having no more "line feeds". So its more or less a problem of right escaping!?
i tried to use the escaping explained [on this site][1] but no luck yet. any ideas?
cheers
-ciir
PS: I know that there is such thing as a Splunk PowerShell Resource Kit (but do I really have to use it?)
[1]: ss64.com/ps/syntax-esc.html](http://ss64.com/ps/syntax-esc.html
↧