I am having trouble extracting certain information from registry events. For example I want to extract the "SetValue" from the registry type, however, when I try to use the "extract fields" option to create to create a field for it, Splunk does not allow me to select that specific string to create the field. Is there a way to fix this? Or an alternative method to create fields for registry_type and also key_path and process_image?
event_status="(0)The operation completed successfully."
pid=7008
process_image="svchost.exe"
registry_type="SetValue"
key_path="HKU\s-1-5-20\software\microsoft\windows\currentversion\deliveryoptimization\config\downloadmode_backcompat"
data_type="REG_DWORD"
data="0x00000001(1)"
... View more