Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Configuring Windows Registry

cald0002
New Member
‎11-12-2019 03:06 AM

I am having trouble extracting certain information from registry events. For example I want to extract the "SetValue" from the registry type, however, when I try to use the "extract fields" option to create to create a field for it, Splunk does not allow me to select that specific string to create the field. Is there a way to fix this? Or an alternative method to create fields for registry_type and also key_path and process_image?

event_status="(0)The operation completed successfully."
pid=7008
process_image="svchost.exe"
registry_type="SetValue"
key_path="HKU\s-1-5-20\software\microsoft\windows\currentversion\deliveryoptimization\config\downloadmode_backcompat"
data_type="REG_DWORD"
data="0x00000001(1)"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎11-12-2019 05:58 AM

are you using the Splunk TA for Windows?
did you follow this doc:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsregistrydata
I see all the fields extracted, screenshot below

alt text

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎11-12-2019 05:58 AM

are you using the Splunk TA for Windows?
did you follow this doc:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsregistrydata
I see all the fields extracted, screenshot below

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

cald0002
New Member
‎11-13-2019 04:17 AM

Hi Adonio I am using the TA for Windows and I also followed the doc, however my events still do not look like the ones you have in the screen shot. This is the monitor I am using, not sure if it aligns with the one you are using.

[WinRegMon://hklm_run]
disabled = 0
hive = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.*
proc = .*
index = windows
type = rename|set|create|delete|rename

Also, do you think I need to make any changes or configs to any other file? In order to get all the other events to come in properly?

0 Karma
Reply
Solved! Jump to solution

cald0002
New Member
‎11-13-2019 04:18 AM

I also had an asterisk at the end of hive in proc, not sure why it didnt come up.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...