Splunk Search

Regex -or- How to cleanup field values

mikefoti
Communicator

A single event looks like this:

Row 113711: Requester Name: "RETAIL\HH01-0002" User Principal Name: "HH01-0002@retail.com" Serial Number: "41444bca9b200010002d1f1" Certificate Template: "ClientAuth" Certificate Effective Date:
11/29/2011 10:10 AM Certificate Expiration Date: 11/28/2013 10:10 AM

The only way I found to extract fileds for the Expiration & Effective dates was custom regex that looks like this:

(?-s)(?i)(?PCertificate Effective Date:.+\n?)

(?-s)(?i)(?PCertificate Expiration Date:.+\n?)**

My problem is that the field values contain text in addition to the dates and time information, for example:

cert_EndDate=Certificate Expiration Date: 11/28/2013 10:36 AM

My question is, how can I get ride of the text within the field values?

0 Karma
1 Solution

BobM
Builder

You just need to move the text out of the bracket but I would also lock down the date format.

(?-s)(?i)Certificate Effective Date: (?P<cert_startdate>[\d/]+ [\d:]+ [AP]M)

(?-s)(?i)Certificate Expiration Date: (?P<cert_enddate>[\d/]+ [\d:]+ [AP]M)

View solution in original post

mikefoti
Communicator

Wow... that's not what I expected.

So if I understand correclty, only the portion between (P and the closing ) become the value of the field?

Is this corrcet?

0 Karma

Ayn
Legend

Yes. That is how regexes work.

0 Karma

BobM
Builder

You just need to move the text out of the bracket but I would also lock down the date format.

(?-s)(?i)Certificate Effective Date: (?P<cert_startdate>[\d/]+ [\d:]+ [AP]M)

(?-s)(?i)Certificate Expiration Date: (?P<cert_enddate>[\d/]+ [\d:]+ [AP]M)
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...