A WLS user contacted me and was having issues parsing a date from a data field in EventID 6008 (unexpected shutdown). Taking a look at my logs everything looked fine, even in a viewer like Notepad++ with Show View->Show Symbol->Show All Characters. Since I use Splunk, on the record in question I selected Event Actions->Show Source, and it looked fine there too. Next I did a right-click and Inspect on the web page and there it was: “‎” aka u200e, aka E2808E, aka “Left-To-Right Mark”.
Saving the event text to a file and opening it with a hex editor also shows the control character in question (e2 80 8e):
Indeed these control characters are included in at least 8 other events and all appear to be in date fields.
In Splunk you can use rex/sed or replace to remove control characters before attempting a strptime or other function.
`wlslogs` EventID=6008 | rex field=Data1 mode=sed "s/\p{C}//g" | eval NewDate=strptime(Data1,"%m/%d/%Y")
or
`wlslogs` EventID=6008 | eval NewDate=strptime(replace(Data1,"\p{C}",""),"%m/%d/%Y")
Article Link: https://digirati82.com/2017/07/13/event-logs-with-control-characters/