Using ConvertFrom-Csv -Delimiter for variable length whitespace

Question

I have a report that generates a CSV file of Windows Security events. With this report, I want to pull specific information.

The following below code parses each line of data by whitespace between fields. This is working correctly:

$InStuff = Get-Content -Path 'SecurityEvents.csv'

$ColCount = $InStuff[1].Split(' ').Count

$Collection = $InStuff | ConvertFrom-Csv -Delimiter ' ' -Header     (1..$ColCount).ForEach({"Column_$_"})

$Collection |
    Select-Object -Property 'Column_17', 'Column_83'

Sample rows of CSV:

<134>Dec 13 13:50:23 10.137.119.42 MSWinEventLog 1 Security 123456789 Thu Dec 13 13:50:23 2018 4662 Microsoft-Windows-Security-Auditing MyCompany\dy625 N/A Success Audit mydc1.dy625.com Directory Service Access  An operation was performed on an object.    Subject :   Security ID:  S-123456  Account Name:  dy625 Account Domain:  MyCompany   Logon ID:  XXXXXXXX   Object:   Object Server:  DS   Object Type:  %{XXXXXXXX-XXXXXXXX-XXXXXXXX}   Object Name:  %{XXXXXXXX-XXXXXXXX-XXXXXXXX}   Handle ID:  0x0    Operation:   Operation Type:  Object Access   Accesses:  Write Property  Access Mask:  0x20   Properties:  Write Property {XXXX-XXXX-XXXXX}  {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX}  {XXXX-XXXX-XXXXX}   Additional Information:   Parameter 1:  -   Parameter 2:   123456
<134>Dec 13 13:50:18 10.137.119.42 MSWinEventLog 1 Security 123456789 Thu Dec 13 13:50:18 2018 4662 Microsoft-Windows-Security-Auditing MyCompany\dy626 N/A Success Audit mydc1.dy625.com Directory Service Access  An operation was performed on an object.    Subject :   Security ID:  S-123456  Account Name:  dy626 Account Domain:  MyCompany   Logon ID:  XXXXXXXX   Object:   Object Server:  DS   Object Type:  %{XXXXXXXX-XXXXXXXX-XXXXXXXX}   Object Name:  %{XXXXXXXX-XXXXXXXX-XXXXXXXX}   Handle ID:  0x0    Operation:   Operation Type:  Object Access   Accesses:  Write Property  Access Mask:  0x20   Properties:  Write Property {XXXX-XXXX-XXXXX}  {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX}  {XXXX-XXXX-XXXXX}   Additional Information:   Parameter 1:  -   Parameter 2:   123456
<134>Jan  4 13:50:14 10.137.118.22 MSWinEventLog 1 Security 123456789 Thu Dec 13 13:50:14 2018 4662 Microsoft-Windows-Security-Auditing MyCompany\dy627 N/A Success Audit mydc1.dy625.com Directory Service Access  An operation was performed on an object.    Subject :   Security ID:  S-123456  Account Name:  dy627 Account Domain:  MyCompany   Logon ID:  XXXXXXXX   Object:   Object Server:  DS   Object Type:  %{XXXXXXXX-XXXXXXXX-XXXXXXXX}   Object Name:  %{XXXXXXXX-XXXXXXXX-XXXXXXXX}   Handle ID:  0x0    Operation:   Operation Type:  Object Access   Accesses:  Write Property  Access Mask:  0x20   Properties:  Write Property {XXXX-XXXX-XXXXX}  {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX}  {XXXX-XXXX-XXXXX}   Additional Information:   Parameter 1:  -   Parameter 2:   123456

An unforseen issue is that Windows does not format their dates as I expected. For example, see below

<134>Dec 13
<134>Jan  4

If you notice, there are two whitespaces between 'Jan' and '4', while there is one whitespace between 'Dec' and '13'. This means that I require two different scripts to run, depending on the day of the month.

I was wondering if it possible to make delimiters "variable" whitespace, rather than a single defined ' ' in this specific instance. It looks like this functonality is not supported within the ConvertFrom-Csv command - and I'm not sure how I'd rewrite my code to accommodate this.

Answer 1

you will need to add another step that replaces "two or more whitespace chars" with one space. something like this ...

# fake reading in a text file
#    in real life, use Get-Content
$Test = @'
dec 13 qwerty
jan  4 asdfgh
'@ -split [environment]::NewLine

$Test -replace '\s{2,}', ' ' |
    ConvertFrom-Csv -Delimiter ' ' -Header 'One', 'Two'

output ...

 One Two
 --- ---
 dec 13 
 jan 4 

Answer 2

Just replace all double white spaces with a single one:

$InStuff = $InStuff.Replace('  ',' ')