Extract in Props.conf

pfabrizi — Tue, 23 Jan 2018 18:47:46 GMT

I am trying to extract a field from cisco:asa events in my props.conf.
Here is the event:

Jan 23 11:04:57 taaaaaaa %ASA-6-717022: Certificate was successfully validated. serial number: 21EB548E00000000994A, subject name:  cn=XXX1G,ou=CL,ou=LOB,dc=xxx,dc=xxxxx,dc=net.

here is my extract:

EXTRACT-serial_number = ^.*Certificate was successfully validated. serial number:.*\s([0-9A-Z]+)

parses fine in regex101

is this an acceptable regex?

I only want it for these events.

Re: Extract in Props.conf

MuS — Tue, 23 Jan 2018 18:57:40 GMT

Hi pfabrizi,

try this regex:

 Certificate was successfully validated\. serial number:\s+([0-9A-Z]+)

You missed to escape the .. If it is still not working, check if there is no typo in the assigned sourcetype, source or hostname for the props stanza.

Hope this helps ...

cheers, MuS

topic Extract in Props.conf in Splunk Search

Extract in Props.conf

Re: Extract in Props.conf