Splunk Search

Check certificats

miguel1423
Explorer

Hello,

I make a script that retourne a certificats list in Excel form then I display uniquely the certifcat about to expire with a validity days.

But I would like to display " No certificat about to expire" if no value are find and not the message below. Do you know if it is possible ?

miguel1423_0-1595402312162.png

 

index = "index_pki" sourcetype = "splunk_csv" AND (Template=FVE_ServerWeb OR Template=1.3.6.1.4.1.311.21.8.4247237.15172642.2378160.7384375.2155270.77.16524867.13256529 OR Template=FVE_ServerWeb_2Years)
 | fields ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name |dedup  ReqID CN
 | where Validity < 30
 | sort Validity
 | table ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name

 

 

Thank you 

 

Regards,

 

Miguel

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The appendpipe command usually is used for that.

index = "index_pki" sourcetype = "splunk_csv" AND (Template=FVE_ServerWeb OR Template=1.3.6.1.4.1.311.21.8.4247237.15172642.2378160.7384375.2155270.77.16524867.13256529 OR Template=FVE_ServerWeb_2Years)
 | fields ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name |dedup  ReqID CN
 | where Validity < 30
 | appendpipe [ stats count | eval Validity=0, ReqID="No certificat about to expire" | where count=0 | fields - count ]
 | sort Validity
 | table ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The appendpipe command usually is used for that.

index = "index_pki" sourcetype = "splunk_csv" AND (Template=FVE_ServerWeb OR Template=1.3.6.1.4.1.311.21.8.4247237.15172642.2378160.7384375.2155270.77.16524867.13256529 OR Template=FVE_ServerWeb_2Years)
 | fields ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name |dedup  ReqID CN
 | where Validity < 30
 | appendpipe [ stats count | eval Validity=0, ReqID="No certificat about to expire" | where count=0 | fields - count ]
 | sort Validity
 | table ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

miguel1423
Explorer

Hello,

 

Thank you, it's work perfectly 😃

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!