Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I extract the 3 different certificate errors below into a single field within a Splunk query as part of a saved search?

jacqu3sy
Path Finder
‎02-05-2018 03:10 AM

Hi,

I need to extract the 3 different certificate errors below into a single field called CertErrors within a Splunk query as part of a saved search. The regex needs to extract from the final colon after 0126006:4: Peer cert verify error up to the first (

01260006:4: Peer cert verify error: certificate has expired (depth 0
01260006:4: Peer cert verify error: certificate revoked (depth
01260006:4: Peer cert verify error: unable to get local issuer certificate (depth)

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎02-05-2018 03:24 AM

hi
Try this:

|rex  max_match=0 "error:\s(?<CertErrors>[^(]+)"

Run this anywhere search:

|makeresults|eval _raw="01260006:4: Peer cert verify error: certificate has expired (depth 0
01260006:4: Peer cert verify error: certificate revoked (depth
01260006:4: Peer cert verify error: unable to get local issuer certificate (depth"
|rex max_match=0 "error:\s(?<CertErrors>[^(]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎02-05-2018 03:24 AM

hi
Try this:

|rex  max_match=0 "error:\s(?<CertErrors>[^(]+)"

Run this anywhere search:

|makeresults|eval _raw="01260006:4: Peer cert verify error: certificate has expired (depth 0
01260006:4: Peer cert verify error: certificate revoked (depth
01260006:4: Peer cert verify error: unable to get local issuer certificate (depth"
|rex max_match=0 "error:\s(?<CertErrors>[^(]+)"
0 Karma
Reply
Solved! Jump to solution

jacqu3sy
Path Finder
‎02-05-2018 03:27 AM

Perfect, thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...