I'd like to report an incomplete transform of RegistryValueData in Splunk_TA_microsoft_sysmon v1.0.1

Now it looks like:

[sysmon-registryvaluedata]
REGEX = <Data Name='Details'>\w+\s\((.+)\)</Data>
FORMAT = RegistryValueData::$1

So it works fine when Details contains: DWORD (0x00000001)

But when it is a string value, it doesn't make sense. 

What about this transform?

[sysmon-registryvaluedata]
REGEX = <Data Name='Details'>(?:([^(^)]*)|\w+\s\((.+)\))</Data>
FORMAT = RegistryValueData::$1