SSL certificate checker issue: How to see all SSL ...

pchintha · ‎02-13-2022

Hi please help here

we are using below base search and we need to see all ssl certificates with days left in EST.

index=ssl_certs |rex field=_raw "[^'\n]*'expires=\"(?<expires>[^\\\'\"]+)"| stats c by host expires cert | eval time = strftime( strptime( expires , "%b %d %H:%M:%S %Y %Z" ), "%Y/%m/%d %H:%M:%S %Z")

need exact query for this we tried a lot actually. we are using ssl_checker app for this.

isoutamo · ‎02-14-2022

Based on your search response (which is not a raw data) this could helps you.

index=ssl_certs 
| rex "expires=\"(?<exp>[^\\\]+)\\\n"
| eval expTime = strptime(exp, "%b %d %H:%M:%S %Y %Z"), curTime = now()
| eval leftTime = tostring(expTime - curTime, "duration")
| eval daysLeft = mvindex(split(leftTime, "+"), 0)
| table exp expTime curTime left daysLeft

There are other ways to do it.

r. Ismo

pchintha · ‎02-14-2022

showing no results

isoutamo · ‎02-14-2022

Works with me with that app. Can you add that _raw data from your query so we can test it with your data?

e.g.

index=ssl_certs sourcetype=ssl_certs
| head 10
| table _time _raw

Then add that output inside editors </> (code block) so that it will not changed when you are posting it.

pchintha · ‎02-14-2022

Here is the sample events

isoutamo · ‎02-14-2022

Can you post some raw events in code box to helps you?

pchintha · ‎02-14-2022

This helps for me, from in this and expires is in GMT and the expTime is in EST guess so and we need all to know in EST only

SSL certificate checker issue: How to see all SSL Certificates in the current search?

authentication

SSL

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)