Splunk Search

Regex -or- How to cleanup field values

mikefoti
Communicator

A single event looks like this:

Row 113711: Requester Name: "RETAIL\HH01-0002" User Principal Name: "HH01-0002@retail.com" Serial Number: "41444bca9b200010002d1f1" Certificate Template: "ClientAuth" Certificate Effective Date:
11/29/2011 10:10 AM Certificate Expiration Date: 11/28/2013 10:10 AM

The only way I found to extract fileds for the Expiration & Effective dates was custom regex that looks like this:

(?-s)(?i)(?PCertificate Effective Date:.+\n?)

(?-s)(?i)(?PCertificate Expiration Date:.+\n?)**

My problem is that the field values contain text in addition to the dates and time information, for example:

cert_EndDate=Certificate Expiration Date: 11/28/2013 10:36 AM

My question is, how can I get ride of the text within the field values?

0 Karma
1 Solution

BobM
Builder

You just need to move the text out of the bracket but I would also lock down the date format.

(?-s)(?i)Certificate Effective Date: (?P<cert_startdate>[\d/]+ [\d:]+ [AP]M)

(?-s)(?i)Certificate Expiration Date: (?P<cert_enddate>[\d/]+ [\d:]+ [AP]M)

View solution in original post

mikefoti
Communicator

Wow... that's not what I expected.

So if I understand correclty, only the portion between (P and the closing ) become the value of the field?

Is this corrcet?

0 Karma

Ayn
Legend

Yes. That is how regexes work.

0 Karma

BobM
Builder

You just need to move the text out of the bracket but I would also lock down the date format.

(?-s)(?i)Certificate Effective Date: (?P<cert_startdate>[\d/]+ [\d:]+ [AP]M)

(?-s)(?i)Certificate Expiration Date: (?P<cert_enddate>[\d/]+ [\d:]+ [AP]M)

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!