Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex Help

mikefoti
Communicator
‎12-02-2011 05:48 AM

A complete event record looks like this:

Row 114005: Requester Name: "RETAIL\S2343W01$" Issued Common Name: "S2343W01.retail.fakename.com" User Principal Name: "S2343W01.retail.fakename.com" Serial Number: "4c22be0100010002d317" Certificate Template: Client Authentication - Retail Desktops Certificate Effective Date: 12/1/2011 10:38 AM Certificate Expiration Date: 11/30/2012 10:38 AMMaximum Row Index: 114005

My Regex to capture a cert_SN field looks like this:

(?i)Serial Number: “(?P<cert_SN>.+?\n)

The result captures the seriel number PLUS the final quote i.e. 

cert_SN = 4c22be0100010002d317"

How can I eliminate the final quote?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎12-02-2011 05:54 AM

You can try either of these:

(?i)Serial Number:\s\"(?P<cert_sn>\w+)\"

OR

(?i)Serial Number:\s\"(?P<cert_sn>\w+)

-->
EDIT: In case you need to capture empty fields then try this:

(?i)Serial Number:\s\"(?P<cert_sn>[^\"]*)\"

This will capture everything between "" even when there are no spaces between quotes. If you know for certain that there will be spaces between quotes then change * to +.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

View solution in original post

Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎12-02-2011 05:54 AM

You can try either of these:

(?i)Serial Number:\s\"(?P<cert_sn>\w+)\"

OR

(?i)Serial Number:\s\"(?P<cert_sn>\w+)

-->
EDIT: In case you need to capture empty fields then try this:

(?i)Serial Number:\s\"(?P<cert_sn>[^\"]*)\"

This will capture everything between "" even when there are no spaces between quotes. If you know for certain that there will be spaces between quotes then change * to +.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Reply
Solved! Jump to solution

mikefoti
Communicator
‎12-02-2011 06:18 AM

both work equally well both both also fail to pick up a value of EMPTY... which is weird... seems like /w ought to match EMPTY or anyother word?!?!?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...