Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex Help

mikefoti
Communicator
‎12-02-2011 05:48 AM

A complete event record looks like this:

Row 114005: Requester Name: "RETAIL\S2343W01$" Issued Common Name: "S2343W01.retail.fakename.com" User Principal Name: "S2343W01.retail.fakename.com" Serial Number: "4c22be0100010002d317" Certificate Template: Client Authentication - Retail Desktops Certificate Effective Date: 12/1/2011 10:38 AM Certificate Expiration Date: 11/30/2012 10:38 AMMaximum Row Index: 114005

My Regex to capture a cert_SN field looks like this:

(?i)Serial Number: “(?P<cert_SN>.+?\n)

The result captures the seriel number PLUS the final quote i.e. 

cert_SN = 4c22be0100010002d317"

How can I eliminate the final quote?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎12-02-2011 05:54 AM

You can try either of these:

(?i)Serial Number:\s\"(?P<cert_sn>\w+)\"

OR

(?i)Serial Number:\s\"(?P<cert_sn>\w+)

-->
EDIT: In case you need to capture empty fields then try this:

(?i)Serial Number:\s\"(?P<cert_sn>[^\"]*)\"

This will capture everything between "" even when there are no spaces between quotes. If you know for certain that there will be spaces between quotes then change * to +.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

View solution in original post

Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎12-02-2011 05:54 AM

You can try either of these:

(?i)Serial Number:\s\"(?P<cert_sn>\w+)\"

OR

(?i)Serial Number:\s\"(?P<cert_sn>\w+)

-->
EDIT: In case you need to capture empty fields then try this:

(?i)Serial Number:\s\"(?P<cert_sn>[^\"]*)\"

This will capture everything between "" even when there are no spaces between quotes. If you know for certain that there will be spaces between quotes then change * to +.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Reply
Solved! Jump to solution

mikefoti
Communicator
‎12-02-2011 06:18 AM

both work equally well both both also fail to pick up a value of EMPTY... which is weird... seems like /w ought to match EMPTY or anyother word?!?!?

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top