Refine your search:

monitor a certain location registry location and had a strange error occuring

0

Hi All,

I have for many days went sleepless over a problem which i need help with (and i found here to ask!).

I would like to know how to get splunk to only return (or as you would call it index) 1 or 2 hives in the HKLM hardware and software\controlset001 and *HKEY_CLASSES_ROOT* so that less data is indexed for activities inside splunk (making it faster to do other jobs) from a server.

I tried this: adding sysmon.conf and regmon-filter.conf to C:\Program Files\Splunk\etc\system\local. Then no more events came in [Stored a local copy of forwarded events setup in manager) and ALSO forwarded to the splunk (server) receiver filter did not work and until i killed the 2 files (sysmon.conf and regmon-filter.conf) added with stanzas inside them. this is a VMware guest with win 2008 r2 enterprise 64bits installed. This VM machine acts as a forwarder to a receiver (a windows 7 64 bits machine not a VM).

I restart splunk by going to my C:\program files\splunk\bin to restart it. On many occassions, the splunk server restart and i did not find the change successful. The event (e.g chg and add key to the hives mention above) were not in when i try to search. and no activity recorded.

The forwarder only had WinRegistry indexed as i want to isolate where did i go wrong. all other WMIs are disabled as such.

question 2: What is mrsparkle? I had this prompted when i tried to restart and it prompt me that splunkd is not stopped and the change cannot be carried out. and asks if i want to review the change.

I stopped splunkd thru CLI by keying splunkd stop then i tried to restart the forwarder splunk restart asks me again if i want to review the change i said yes and i saw some code that says something about mrsparkle.

I hope someone can help me (i'm helping someone else out of goodwill), i think i can help blog about how to work the registry properly cutting down the data to be chewed on splunk. The part about registry in splunk docs is relatively vague and despite changing it in the location in admin manual, still no joy.

Warmest regards, Ethan Hunt.

asked 22 Jul '10, 19:49

e82than's gravatar image

e82than
8218
accept rate: 7%

Be the first one to answer this question!
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×14
×12
×8

Asked: 22 Jul '10, 19:49

Seen: 413 times

Last updated: 22 Jul '10, 19:49

Related questions

Manual Inputs, what location are they kept?

If you had a choice, would you use CSV or XML files for Splunk to eat?

Getting error when i called a lookup file

Montoring apache logs using splunk

Splunk not indexing modified files

Copied defaultdb to another server and now cannot access events

Deployment client fails to restart splunkd - manual restart needed

Archiving and signing at the same time

"Merging hot Databases"

Copyright © 2005-2012 Splunk Inc. All rights reserved.