Splunk Search

How can I extract the 3 different certificate errors below into a single field within a Splunk query as part of a saved search?

Path Finder

Hi,

I need to extract the 3 different certificate errors below into a single field called CertErrors within a Splunk query as part of a saved search. The regex needs to extract from the final colon after 0126006:4: Peer cert verify error up to the first (

01260006:4: Peer cert verify error: certificate has expired (depth 0
01260006:4: Peer cert verify error: certificate revoked (depth
01260006:4: Peer cert verify error: unable to get local issuer certificate (depth)

Thanks

0 Karma
1 Solution

Super Champion

hi
Try this:

|rex  max_match=0 "error:\s(?<CertErrors>[^(]+)"

Run this anywhere search:

|makeresults|eval _raw="01260006:4: Peer cert verify error: certificate has expired (depth 0
01260006:4: Peer cert verify error: certificate revoked (depth
01260006:4: Peer cert verify error: unable to get local issuer certificate (depth"
|rex max_match=0 "error:\s(?<CertErrors>[^(]+)"

View solution in original post

0 Karma

Super Champion

hi
Try this:

|rex  max_match=0 "error:\s(?<CertErrors>[^(]+)"

Run this anywhere search:

|makeresults|eval _raw="01260006:4: Peer cert verify error: certificate has expired (depth 0
01260006:4: Peer cert verify error: certificate revoked (depth
01260006:4: Peer cert verify error: unable to get local issuer certificate (depth"
|rex max_match=0 "error:\s(?<CertErrors>[^(]+)"

View solution in original post

0 Karma

Path Finder

Perfect, thanks.

0 Karma