Hi gurus, I am new to Splunk but have this task that I'm stumped on: I have a query that looks like this: index=pp_security_app_tenablenessus sourcetype="tenable:io:vuln" plugin.id="42981" | table asset_fqdn, ipv4, port.port, port.protocol, plugin.synopsis, output One of the resulting fields is a field named "output". Inside the output field I will have data that looks like this: The SSL certificate will expire within 90 days, at Jan 29 12:00:00 2021 GMT : Subject : C=US, ST=California, L=San Jose, O=Jimmy's Bar & Grill, OU=Kitchen, CN=jimmysbarandgrill.com Issuer : C=US, O=DigiCert Inc, CN=DigiCert Global CA G2 Not valid before : Jan 29 00:00:00 2019 GMT Not valid after : Jan 29 12:00:00 2021 GMT Sometimes the Subject field only has the CN like this: The SSL certificate will expire within 90 days, at Jan 29 12:00:00 2021 GMT : Subject : CN=jimmysbarandgrill.com Issuer : C=US, O=DigiCert Inc, CN=DigiCert Global CA G2 Not valid before : Jan 29 00:00:00 2019 GMT Not valid after : Jan 29 12:00:00 2021 GMT I need to extract the the Common Name (anything after CN= till end of line or next comma) from both the Subject and Issuer sections of the output field, then extract the 'Not valid before' and 'Not valid after' sections of the output field after the colon and put the extracted data into fields named CommonName, Issuer, Before and After. Thanks in advance for your help. ... View more