Splunk Enterprise

SSL Certificate

Amiir-89
Engager

Hey All
I have downloaded the app SSL Certificate lookup

I using this search to see information about the certificate, but it gives me no information.

 

| makeresults
| eval dest="example.com"
| mvexpand dest
| lookup sslcert_lookup dest OUTPUT ssl_subject_common_name ssl_subject_alt_name ssl_end_time ssl_validity_window
| eval ssl_subject_alt_name = split(ssl_subject_alt_name,"|")
| eval days_left = round(ssl_validity_window/86400)

 



the domain is using port 8441

When i add for example splunk.com it works but not the one i want to see.

What is wrong in the search, or what should i add?

Thanks in advance

Labels (1)
0 Karma
1 Solution

aaryan
Engager

Please try this if you want to add the port.  

| makeresults
| eval dest="example.com", dest_port=8441
| lookup sslcert_lookup dest dest_port OUTPUT ssl_subject_common_name ssl_subject_alt_name ssl_end_time ssl_validity_window
| eval ssl_subject_alt_name = split(ssl_subject_alt_name,"|")
| eval days_left = round(ssl_validity_window/86400)

View solution in original post

aaryan
Engager

Please try this if you want to add the port.  

| makeresults
| eval dest="example.com", dest_port=8441
| lookup sslcert_lookup dest dest_port OUTPUT ssl_subject_common_name ssl_subject_alt_name ssl_end_time ssl_validity_window
| eval ssl_subject_alt_name = split(ssl_subject_alt_name,"|")
| eval days_left = round(ssl_validity_window/86400)
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...