https://community.splunk.com/t5/Monitoring-Splunk/In-Windows-monitoring-how-do-you-get-WinRegMon-to-produce-a/m-p/419549#M5697 <P>So turns out it was being lost in the sea of events. It's indexing the data at the time when the change was made, not at the time when it pulls back in the data, which makes sense.</P> Mon, 08 Oct 2018 13:48:29 GMT althomas 2018-10-08T13:48:29Z https://community.splunk.com/t5/Monitoring-Splunk/In-Windows-monitoring-how-do-you-get-WinRegMon-to-produce-a/m-p/419548#M5696 <P>Hi all,</P> <P>I'm having lots of issues trying to get WinRegMon to do a baseline. I've pushed this to my workstation and it is working when I make manual changes to the registry. However, as I've got baseline set to 1 and an interval of a day's worth of seconds, I would expect there to be daily entries into the main index for all keys existing in the below.</P> <P>My config looks a bit like this:</P> <PRE><CODE>[WinRegMon://outlookDisabled] disabled = 0 proc = .* type = rename|create|delete|set index = main baseline = 1 baseline_interval = 86400 hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Office\\.*\\Outlook\\Resiliency\\DisabledItems\\.* </CODE></PRE> <P>Has anyone had any experience with baselines not pulling in data?</P> <P>Thanks!<BR /> Alex</P> Mon, 08 Oct 2018 11:14:51 GMT https://community.splunk.com/t5/Monitoring-Splunk/In-Windows-monitoring-how-do-you-get-WinRegMon-to-produce-a/m-p/419548#M5696 althomas 2018-10-08T11:14:51Z https://community.splunk.com/t5/Monitoring-Splunk/In-Windows-monitoring-how-do-you-get-WinRegMon-to-produce-a/m-p/419549#M5697 <P>So turns out it was being lost in the sea of events. It's indexing the data at the time when the change was made, not at the time when it pulls back in the data, which makes sense.</P> Mon, 08 Oct 2018 13:48:29 GMT https://community.splunk.com/t5/Monitoring-Splunk/In-Windows-monitoring-how-do-you-get-WinRegMon-to-produce-a/m-p/419549#M5697 althomas 2018-10-08T13:48:29Z