Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my WinRegMon configuration to filter out certain Windows registry events?

lelandtheg
Engager
‎07-20-2016 09:53 AM

Hello!

I need some help filtering Windows registry events in Splunk. Here is my inputs.conf file

[WinRegMon://default]
disabled = 0
hive = .*
proc = .(?!symantec|google)([a-z0-9*]+)$
type = rename|set|delete|create
index = windows

As you can see in proc, I am trying to remove all entries which have the word sDymantec and google, but I have had no success.

Could anyone provide a way they are doing this or a suggestion?

Thank you!

Reply

dstaulcu
Builder
‎02-02-2017 05:36 PM

needed to do the same today. this seems to work for me.

proc = ^((?!(reg.exe|powershell_ise.exe)).)*$
Reply

mikefg
Communicator
‎03-15-2024 09:17 AM

I've been working on an issue where I need to be able to filter out a registry entry as well, but this solution doesn't get me there.   I need to filter out the languagelist entry, just can't get the regex to work. Anyone else have success filtering reg entries?

I need to filter out this entry.

HKU\.default\software\classes\local settings\muicache\2c4\52c64b7e\languagelist
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...