PowerConnect for SAP Solutions
PowerConnect for SAP Solutions
Breadcrumbs

KB 238 - Fields missing in Certificates CIM Mapping

KB 238 (Splunk): Fields missing in Certificates CIM Mapping

Category: Problem

Priority: High

Platform: Splunk

Version: 1 from 17.12.2025

Description

The Certificates CIM mapping is missing a number of fields such as ssl_start_time, ssl_end_time, and ssl_issuer.

Cause

The addition of the HDB_CERT_LIST event type to the Certificates mapping was malformed, causing both HDB_CERT_LIST and STRUST fields to fail their CIM mapping conversions.

Resolution

In Splunk, navigate to Settings > Fields > Calculated Fields. Set your App filter to “PowerConnect for SAP Solutions (BNW-app-powerconnect)” and Configuration Source filter to “Created in App”. Find the following fields by field name, check their eval expressions, and replace with the new expressions as needed:

Field Name

Old Eval Expression

New Eval Expression

ssl_end_time
Splunk SPL
if(EVENT_TYPE="HDB_CERT_LIST",VALID_UNTIL,EVENT_TYPE="STRUST",strptime(VALID_TO." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),ssl_end_time)
Splunk SPL
case(EVENT_TYPE="HDB_CERT_LIST",VALID_UNTIL,EVENT_TYPE="STRUST",strptime(VALID_TO." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),true(),ssl_end_time)

ssl_start_time
Splunk SPL
if(EVENT_TYPE="HDB_CERT_LIST",VALID_FROM,EVENT_TYPE="STRUST",strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),ssl_start_time)
Splunk SPL
case(EVENT_TYPE="HDB_CERT_LIST",VALID_FROM,EVENT_TYPE="STRUST",strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),true(),ssl_start_time)

ssl_validity_window
Splunk SPL
if(EVENT_TYPE="HDB_CERT_LIST",strptime(VALID_UNTIL." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z")-strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),EVENT_TYPE="STRUST",strptime(VALID_TO." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z")-strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"), ssl_validity_window)
Splunk SPL
case(EVENT_TYPE="HDB_CERT_LIST",strptime(VALID_UNTIL." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z")-strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),EVENT_TYPE="STRUST",strptime(VALID_TO." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z")-strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),true(), ssl_validity_window)

ssl_issuer
Splunk SPL
if(EVENT_TYPE="HDB_CERT_LIST",ISSUER_NAME,EVENT_TYPE="STRUST",ISSUER,ssl_issuer)
Splunk SPL
case(EVENT_TYPE="HDB_CERT_LIST",ISSUER_NAME,EVENT_TYPE="STRUST",ISSUER,true(),ssl_issuer)

ssl_subject
Splunk SPL
if(EVENT_TYPE="HDB_CERT_LIST",SUBJECT_NAME,EVENT_TYPE="STRUST",SUBJECT,ssl_subject)
Splunk SPL
case(EVENT_TYPE="HDB_CERT_LIST",SUBJECT_NAME,EVENT_TYPE="STRUST",SUBJECT,true(),ssl_subject)

ssl_serial
Splunk SPL
if(EVENT_TYPE="HDB_CERT_LIST",CERTIFICATE_ID,EVENT_TYPE="STRUST",SNUMBER,ssl_serial)
Splunk SPL
case(EVENT_TYPE="HDB_CERT_LIST",CERTIFICATE_ID,EVENT_TYPE="STRUST",SNUMBER,true(),ssl_serial)

Product version

Product

From

To

PowerConnect for SAP Solutions (Splunk App)

8.3.0

9.0.1