I need to get commonName for ISSUER NAME but there are multiple issues: there are more than one commonName(one for ISSUER NAME and another for SUBJECT NAME), commonName position below ISSUER NAME is not fixed, and commonName will sometimes be a string of words with spaces between them. Is there a syntax for an indefinite number of characters and a syntax for scanning a string of words and spaces?
Data:
(0)ISSUER NAME
countryName US
organizationName Lucky Stars
commonName Dev Lucky Stars Internal PKI Firmwide Generic Issuing CA 6
(0)SUBJECT NAME
countryName US
stateOrProvinceName New York
localityName New York
organizationName Lucky Stars
commonName iklabnac04.ms.com
emailAddress mike.ng@luckystars.com
(0)Valid From May 26 03:33:39 2016 GMT
(0)Valid Till May 26 03:33:39 2018 GMT
Try this. There can be more than 2 commonName, adjust the max_match count and eval statements accordingly.
.... | rex max_match=2 "(?<commonName>commonName[^\t\n]+)" | eval commonName_Issuer=mvindex(commonName, 0) | eval commonName_Subject=mvindex(commonName, 1) | ...
I'm a little unfamiliar with regex syntax. What do the "..." and pipes indicate? What do I replace the "..." with?
the ... just means etc. At the begining it is your base search, like this
index=nameofyourindex sourcetype=nameofsourcetype | rex max_match=2 "(?<commonName>commonName[^\t\n]+)" | eval commonName_Issuer=mvindex(commonName, 0) | eval commonName_Subject=mvindex(commonName, 1) | table _time commonName_Issuer commonName_Subject
This looks like a search string for Search&Reporting. Can I also put this string in the extraction/transform field?
If you want the regex for the extraction/transform field, you can use the following in your props & transforms
*props*
[unique_stanza_name]
REPORT-common = commName_extract
*transforms*
[commName_extract]
REGEX=(?<commonName>commonName[^\t\n]+)
MV_ADD = true
Give this a try
your base search | rex "commonName (?<commonName>(\S+\s*)+)"
would this be an inline command?
Yes, this would be added to your current search. Post the search you're using if you've any confusion where it should be added.
Is the commonName field always prefixed by "commonName"?