I'm trying to extract Signature Algorithm, but Splunk only recognizes the exact string(sha256WithRSAEncryption) in sample events. When I add a sample event and try to highlight two strings , I get the same 'extraction failed' error message. Is there a way to fix this? How can I get Splunk to extract the string after "(0)Signature Algorithm "?
61362876,10.183.18.99,IP,Ubuntu / Linux 2.6.x,iklabnac04.ms.com,,2016-07-09-00.59.08,86002,Info,443,tcp,"NAME VALUE
(0)CERTIFICATE 0
(0)Version 3 (0x2)
(0)Serial Number 62:53:b8:ff:00:02:00:00:02:07
(0)Signature Algorithm sha256WithRSAEncryption
(0)ISSUER NAME
countryName US
organizationName Morgan Stanley
commonName Dev Morgan Stanley Internal PKI Firmwide Generic Issuing CA 6
Use this regular expression to extract Signature Algorithm in IFX
"Algorithm\s(?<signature_algorithm>[^\s]+)"
*OR, if you want to extract this field inline in your search, us rex*
... | rex "Algorithm\s(?<signature_algorithm>[^\s]+)" | ...
Use this regular expression to extract Signature Algorithm in IFX
"Algorithm\s(?<signature_algorithm>[^\s]+)"
*OR, if you want to extract this field inline in your search, us rex*
... | rex "Algorithm\s(?<signature_algorithm>[^\s]+)" | ...
Thank you! Quick question: what does the "^" (carrot) do?
That depends on where it is place. In this example, it implies "except". So [^\s]+
means everything except space.
thank you!