https://community.splunk.com/t5/Getting-Data-In/Configuring-Windows-Registry/m-p/482295#M82659 <P>Hi Adonio I am using the TA for Windows and I also followed the doc, however my events still do not look like the ones you have in the screen shot. This is the monitor I am using, not sure if it aligns with the one you are using.</P> <P>[WinRegMon://hklm_run]<BR /> disabled = 0<BR /> hive = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.*<BR /> proc = .*<BR /> index = windows<BR /> type = rename|set|create|delete|rename</P> <P>Also, do you think I need to make any changes or configs to any other file? In order to get all the other events to come in properly?</P> Wed, 13 Nov 2019 12:17:36 GMT cald0002 2019-11-13T12:17:36Z https://community.splunk.com/t5/Getting-Data-In/Configuring-Windows-Registry/m-p/482293#M82657 <P>I am having trouble extracting certain information from registry events. For example I want to extract the "SetValue" from the registry type, however, when I try to use the "extract fields" option to create to create a field for it, Splunk does not allow me to select that specific string to create the field. Is there a way to fix this? Or an alternative method to create fields for registry_type and also key_path and process_image?</P> <P>event_status="(0)The operation completed successfully."<BR /> pid=7008<BR /> process_image="svchost.exe"<BR /> registry_type="SetValue"<BR /> key_path="HKU\s-1-5-20\software\microsoft\windows\currentversion\deliveryoptimization\config\downloadmode_backcompat"<BR /> data_type="REG_DWORD"<BR /> data="0x00000001(1)"</P> Wed, 30 Sep 2020 02:56:32 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-Windows-Registry/m-p/482293#M82657 cald0002 2020-09-30T02:56:32Z https://community.splunk.com/t5/Getting-Data-In/Configuring-Windows-Registry/m-p/482294#M82658 <P>are you using the Splunk TA for Windows?<BR /> did you follow this doc:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsregistrydata">https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsregistrydata</A><BR /> I see all the fields extracted, screenshot below</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7943i8636B7A0764F4B32/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 12 Nov 2019 13:58:41 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-Windows-Registry/m-p/482294#M82658 adonio 2019-11-12T13:58:41Z https://community.splunk.com/t5/Getting-Data-In/Configuring-Windows-Registry/m-p/482295#M82659 <P>Hi Adonio I am using the TA for Windows and I also followed the doc, however my events still do not look like the ones you have in the screen shot. This is the monitor I am using, not sure if it aligns with the one you are using.</P> <P>[WinRegMon://hklm_run]<BR /> disabled = 0<BR /> hive = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.*<BR /> proc = .*<BR /> index = windows<BR /> type = rename|set|create|delete|rename</P> <P>Also, do you think I need to make any changes or configs to any other file? In order to get all the other events to come in properly?</P> Wed, 13 Nov 2019 12:17:36 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-Windows-Registry/m-p/482295#M82659 cald0002 2019-11-13T12:17:36Z https://community.splunk.com/t5/Getting-Data-In/Configuring-Windows-Registry/m-p/482296#M82660 <P>I also had an asterisk at the end of hive in proc, not sure why it didnt come up.</P> Wed, 13 Nov 2019 12:18:58 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-Windows-Registry/m-p/482296#M82660 cald0002 2019-11-13T12:18:58Z