Hello,
I coming back on this subject since the last topic was automatically closed. There is still issues when copy/pasting the Discover's output.
In the following example, there is 3 columns (@timestamp, host, report_desc). When copying the first 3 lines (see screenshot attached) I have the following output (ELK is 8.12.2):
2016-10-05 07:48:23.000
- @timestamp, column 3, row 1
samples
[evtx/powershell/600] provider 'WSMan' new state is 'Started', ps_host_name: 'ConsoleHost', cmd:''', cmd_path:'', script_name:'', host_application:''
2016-10-05 07:48:23.000
samples
[evtx/powershell/600] provider 'Function' new state is 'Started', ps_host_name: 'ConsoleHost', cmd:''', cmd_path:'', script_name:'', host_application:''
2016-10-05 07:48:23.000
samples
[evtx/powershell/600] provider 'Certificate' new state is 'Started', ps_host_name: 'ConsoleHost', cmd:''', cmd_path:'', script_name:'', host_application:''
While the expected output is:
2016-10-05 07:48:23.000 samples [evtx/powershell/600] provider 'WSMan' new state is 'Started', ps_host_name: 'ConsoleHost', cmd:''', cmd_path:'', script_name:'', host_application:''
2016-10-05 07:48:23.000 samples [evtx/powershell/600] provider 'Function' new state is 'Started', ps_host_name: 'ConsoleHost', cmd:''', cmd_path:'', script_name:'', host_application:''
2016-10-05 07:48:23.000 samples [evtx/powershell/600] provider 'Certificate' new state is 'Started', ps_host_name: 'ConsoleHost', cmd:''', cmd_path:'', script_name:'', host_application:''
We are currently working around this issue by turning on the legacy's doc_table: doc_table:legacy.
Could it be possible to patch it ?
Thanks in advance.