Hi

If you want to extract date/time, please try the following

| makeresults 
| eval temp="xxxxx: Signing certificate with thumbprint '1111111111111111111111' is set to expire on 2/13/2020 6:59:59 PM." 
| rex field=temp "set to expire on\s(?P<expireon>\d{1,2}\/\d{1,2}\/\d{4}\s\d{1,2}\:\d{1,2}\:\d{1,2}\s(AM|PM))"