Splunk Search

Check certificats

miguel1423
Explorer

Hello,

I make a script that retourne a certificats list in Excel form then I display uniquely the certifcat about to expire with a validity days.

But I would like to display " No certificat about to expire" if no value are find and not the message below. Do you know if it is possible ?

miguel1423_0-1595402312162.png

 

index = "index_pki" sourcetype = "splunk_csv" AND (Template=FVE_ServerWeb OR Template=1.3.6.1.4.1.311.21.8.4247237.15172642.2378160.7384375.2155270.77.16524867.13256529 OR Template=FVE_ServerWeb_2Years)
 | fields ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name |dedup  ReqID CN
 | where Validity < 30
 | sort Validity
 | table ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name

 

 

Thank you 

 

Regards,

 

Miguel

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The appendpipe command usually is used for that.

index = "index_pki" sourcetype = "splunk_csv" AND (Template=FVE_ServerWeb OR Template=1.3.6.1.4.1.311.21.8.4247237.15172642.2378160.7384375.2155270.77.16524867.13256529 OR Template=FVE_ServerWeb_2Years)
 | fields ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name |dedup  ReqID CN
 | where Validity < 30
 | appendpipe [ stats count | eval Validity=0, ReqID="No certificat about to expire" | where count=0 | fields - count ]
 | sort Validity
 | table ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The appendpipe command usually is used for that.

index = "index_pki" sourcetype = "splunk_csv" AND (Template=FVE_ServerWeb OR Template=1.3.6.1.4.1.311.21.8.4247237.15172642.2378160.7384375.2155270.77.16524867.13256529 OR Template=FVE_ServerWeb_2Years)
 | fields ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name |dedup  ReqID CN
 | where Validity < 30
 | appendpipe [ stats count | eval Validity=0, ReqID="No certificat about to expire" | where count=0 | fields - count ]
 | sort Validity
 | table ReqID  CN  Template  Validity  NotAfter  NotBefore  San  Tumbprint Requester_Name
---
If this reply helps you, Karma would be appreciated.
0 Karma

miguel1423
Explorer

Hello,

 

Thank you, it's work perfectly 😃

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...