Solved: Re: How to combine two searches into one table??

feelcool · ‎01-20-2022

Hello,everyone!
At first, sorry for my bad English.

I have a problem to join two result.

The raw data is a reg file, like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc]
"DisplayName"="@%systemroot%\\system32\\XboxNetApiSvc.dll,-100"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Start"=dword:00000003
"Type"=dword:00000020
"Description"="@%systemroot%\\system32\\XboxNetApiSvc.dll,-101"
"DependOnService"=hex(7):42,00,46,00,45,00,00,00,6d,00,70,00,73,00,73,00,76,00,\
  63,00,00,00,00,00
"ObjectName"="LocalSystem"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,\
  00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,\
  72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,\
  00,65,00,67,00,65,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc\Parameters]
"ServiceDll"="%SystemRoot%\system32\XboxNetApiSvc.dll"
"ServiceDllUnloadOnStop"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip]
"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\
  00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,62,00,6f,00,78,00,67,00,69,00,\
  70,00,2e,00,73,00,79,00,73,00,00,00
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"Group"="NDIS"
"Tag"=dword:00000001
"DisplayName"="@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver"
"Description"="@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver"
"Owners"=hex(7):78,00,62,00,6f,00,78,00,67,00,69,00,70,00,2e,00,69,00,6e,00,66,\
  00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip\Linkage]
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,78,00,62,00,6f,\
  00,78,00,67,00,69,00,70,00,00,00,00,00
"Bind"=hex(7):00,00
"Route"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip\Parameters]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave]
"DisplayName"="@%systemroot%\\system32\\XblGameSave.dll,-100"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Start"=dword:00000003
"Type"=dword:00000020
"Description"="@%systemroot%\\system32\\XblGameSave.dll,-101"
"DependOnService"=hex(7):55,00,73,00,65,00,72,00,4d,00,61,00,6e,00,61,00,67,00,\
  65,00,72,00,00,00,58,00,62,00,6c,00,41,00,75,00,74,00,68,00,4d,00,61,00,6e,\
  00,61,00,67,00,65,00,72,00,00,00,00,00
"ObjectName"="LocalSystem"
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,04,00,00,00,14,00,00,\
  00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,\
  00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave\Parameters]
"ServiceDll"="%SystemRoot%\System32\XblGameSave.dll"
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceIdleTimeout"=dword:0000003c


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wof]
"SupportedFeatures"=dword:00000003
"DisplayName"="Windows Overlay File System Filter Driver"
"ErrorControl"=dword:00000001
"Group"="FSFilter Compression"
"Start"=dword:00000000
"Type"=dword:00000002
"DependOnService"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wof\Instances]
"DefaultInstance"="Wof Instance"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wof\Instances\Wof Instance]
"Altitude"="40700"
"Flags"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wof\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\workerdd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\workerdd\Device0]
"InstalledDisplayDrivers"=hex(7):57,00,4f,00,52,00,4b,00,45,00,52,00,44,00,44,\
  00,00,00,00,00
"VgaCompatible"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\workfolderssvc]
"DisplayName"="@%systemroot%\\system32\\workfolderssvc.dll,-102"
"ErrorControl"=dword:00000001
"Group"="LocalService"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
  00,65,00,00,00
"Start"=dword:00000003
"Type"=dword:00000020
"Description"="@%systemroot%\\system32\\workfolderssvc.dll,-101"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,73,00,65,00,\
  61,00,72,00,63,00,68,00,00,00,00,00
"ObjectName"="NT AUTHORITY\\LocalService"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,\
  00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
  65,00,00,00,00,00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wpcfltr]
"DisplayName"="Family Safety Filter Driver"
"ErrorControl"=dword:00000001
"Group"="NDIS"
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,70,00,63,00,66,00,6c,00,74,\
  00,72,00,2e,00,73,00,79,00,73,00,00,00
"Start"=dword:00000003
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wpcfltr\Security]
"Security"=hex:01,00,14,80,8c,00,00,00,98,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,5c,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
  00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,01,00,00,00,00,\
  00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPDBusEnum]
"Start"=dword:00000003
"DisplayName"="@%SystemRoot%\\system32\\wpdbusenum.dll,-100"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,79,00,73,00,74,00,65,00,6d,\
  00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,72,00,\
  69,00,63,00,74,00,65,00,64,00,00,00
"Type"=dword:00000020
"Description"="@%SystemRoot%\\system32\\wpdbusenum.dll,-101"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ObjectName"="LocalSystem"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,00,\
  61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,\
  00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,\
  61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,\
  00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,\
  74,00,65,00,50,00,65,00,72,00,6d,00,61,00,6e,00,65,00,6e,00,74,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,\
  70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,\
  00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPDBusEnum\BthActiveConnect]
"ACInterval"=dword:00000078
"DCInterval"=dword:000000f0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPDBusEnum\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001

You can save it to .reg file and import to splunk.

The first search result is :

The second search result is :

And my problem is how to join this two search when SrvName=SrvName2,the final result should be like below:

How to solve this problem with splunk?

Thank you,my friends!!

ITWhisperer · ‎01-20-2022

| makeresults
| eval _raw="Windows Registry Editor Version 5.00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XboxNetApiSvc]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\XboxNetApiSvc.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\XboxNetApiSvc.dll,-101\"
\"DependOnService\"=hex(7):42,00,46,00,45,00,00,00,6d,00,70,00,73,00,73,00,76,00,\\
  63,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,\\
  00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,\\
  72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,\\
  00,65,00,67,00,65,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XboxNetApiSvc\\Parameters]
\"ServiceDll\"=\"%SystemRoot%\\system32\\XboxNetApiSvc.dll\"
\"ServiceDllUnloadOnStop\"=dword:00000001
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip]
\"ImagePath\"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
  74,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\\
  00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,62,00,6f,00,78,00,67,00,69,00,\\
  70,00,2e,00,73,00,79,00,73,00,00,00
\"Type\"=dword:00000001
\"Start\"=dword:00000003
\"ErrorControl\"=dword:00000001
\"Group\"=\"NDIS\"
\"Tag\"=dword:00000001
\"DisplayName\"=\"@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver\"
\"Description\"=\"@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver\"
\"Owners\"=hex(7):78,00,62,00,6f,00,78,00,67,00,69,00,70,00,2e,00,69,00,6e,00,66,\\
  00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip\\Linkage]
\"Export\"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,78,00,62,00,6f,\\
  00,78,00,67,00,69,00,70,00,00,00,00,00
\"Bind\"=hex(7):00,00
\"Route\"=hex(7):00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip\\Parameters]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XblGameSave]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\XblGameSave.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\XblGameSave.dll,-101\"
\"DependOnService\"=hex(7):55,00,73,00,65,00,72,00,4d,00,61,00,6e,00,61,00,67,00,\\
  65,00,72,00,00,00,58,00,62,00,6c,00,41,00,75,00,74,00,68,00,4d,00,61,00,6e,\\
  00,61,00,67,00,65,00,72,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"FailureActions\"=hex:80,51,01,00,00,00,00,00,00,00,00,00,04,00,00,00,14,00,00,\\
  00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,\\
  00,00,00,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XblGameSave\\Parameters]
\"ServiceDll\"=\"%SystemRoot%\\System32\\XblGameSave.dll\"
\"ServiceDllUnloadOnStop\"=dword:00000001
\"ServiceIdleTimeout\"=dword:0000003c
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof]
\"SupportedFeatures\"=dword:00000003
\"DisplayName\"=\"Windows Overlay File System Filter Driver\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"FSFilter Compression\"
\"Start\"=dword:00000000
\"Type\"=dword:00000002
\"DependOnService\"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Instances]
\"DefaultInstance\"=\"Wof Instance\"
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Instances\\Wof Instance]
\"Altitude\"=\"40700\"
\"Flags\"=dword:00000000
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Parameters]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workerdd]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workerdd\\Device0]
\"InstalledDisplayDrivers\"=hex(7):57,00,4f,00,52,00,4b,00,45,00,52,00,44,00,44,\\
  00,00,00,00,00
\"VgaCompatible\"=dword:00000000
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workfolderssvc]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\workfolderssvc.dll,-102\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"LocalService\"
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\\
  00,65,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\workfolderssvc.dll,-101\"
\"DependOnService\"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,73,00,65,00,\\
  61,00,72,00,63,00,68,00,00,00,00,00
\"ObjectName\"=\"NT AUTHORITY\\\\LocalService\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,\\
  00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\\
  65,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wpcfltr]
\"DisplayName\"=\"Family Safety Filter Driver\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"NDIS\"
\"ImagePath\"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,70,00,63,00,66,00,6c,00,74,\\
  00,72,00,2e,00,73,00,79,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000001
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wpcfltr\\Security]
\"Security\"=hex:01,00,14,80,8c,00,00,00,98,00,00,00,14,00,00,00,30,00,00,00,02,\\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\\
  00,00,02,00,5c,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\\
  20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\\
  00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,01,00,00,00,00,\\
  00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum]
\"Start\"=dword:00000003
\"DisplayName\"=\"@%SystemRoot%\\\\system32\\\\wpdbusenum.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,79,00,73,00,74,00,65,00,6d,\\
  00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,72,00,\\
  69,00,63,00,74,00,65,00,64,00,00,00
\"Type\"=dword:00000020
\"Description\"=\"@%SystemRoot%\\\\system32\\\\wpdbusenum.dll,-101\"
\"DependOnService\"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,00,\\
  61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,\\
  00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,\\
  61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,\\
  00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,\\
  74,00,65,00,50,00,65,00,72,00,6d,00,61,00,6e,00,65,00,6e,00,74,00,50,00,72,\\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,\\
  70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,\\
  00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
\"FailureActions\"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum\\BthActiveConnect]
\"ACInterval\"=dword:00000078
\"DCInterval\"=dword:000000f0
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum\\Parameters]
\"ServiceDllUnloadOnStop\"=dword:00000001"
| eval event=split(_raw,"|")
| mvexpand event
| rex field=event "(?ms)(?<event>\[.*)"
| eval _raw=event
| table _raw
``` the lines above create some sample data ```
``` extract service name with or without Parameter key ```
| rex "Services\\\\(?<SrvName>\w+)(\\\\Parameters)?\]"
``` extract other fields where they exist ```
| rex "\"Start\"=dword:(?<Start>\d+)"
| rex "\"Type\"=dword:(?<Type>\d+)"
| rex "\"ServiceDll\"=\"(?<SrvDll>[^\"]+)"
``` gather fields where service name matches ```
| stats values(*) as * by SrvName

View solution in original post

ITWhisperer · ‎01-20-2022

| makeresults
| eval _raw="Windows Registry Editor Version 5.00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XboxNetApiSvc]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\XboxNetApiSvc.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\XboxNetApiSvc.dll,-101\"
\"DependOnService\"=hex(7):42,00,46,00,45,00,00,00,6d,00,70,00,73,00,73,00,76,00,\\
  63,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,\\
  00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,\\
  72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,\\
  00,65,00,67,00,65,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XboxNetApiSvc\\Parameters]
\"ServiceDll\"=\"%SystemRoot%\\system32\\XboxNetApiSvc.dll\"
\"ServiceDllUnloadOnStop\"=dword:00000001
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip]
\"ImagePath\"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
  74,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\\
  00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,62,00,6f,00,78,00,67,00,69,00,\\
  70,00,2e,00,73,00,79,00,73,00,00,00
\"Type\"=dword:00000001
\"Start\"=dword:00000003
\"ErrorControl\"=dword:00000001
\"Group\"=\"NDIS\"
\"Tag\"=dword:00000001
\"DisplayName\"=\"@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver\"
\"Description\"=\"@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver\"
\"Owners\"=hex(7):78,00,62,00,6f,00,78,00,67,00,69,00,70,00,2e,00,69,00,6e,00,66,\\
  00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip\\Linkage]
\"Export\"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,78,00,62,00,6f,\\
  00,78,00,67,00,69,00,70,00,00,00,00,00
\"Bind\"=hex(7):00,00
\"Route\"=hex(7):00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip\\Parameters]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XblGameSave]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\XblGameSave.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\XblGameSave.dll,-101\"
\"DependOnService\"=hex(7):55,00,73,00,65,00,72,00,4d,00,61,00,6e,00,61,00,67,00,\\
  65,00,72,00,00,00,58,00,62,00,6c,00,41,00,75,00,74,00,68,00,4d,00,61,00,6e,\\
  00,61,00,67,00,65,00,72,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"FailureActions\"=hex:80,51,01,00,00,00,00,00,00,00,00,00,04,00,00,00,14,00,00,\\
  00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,\\
  00,00,00,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XblGameSave\\Parameters]
\"ServiceDll\"=\"%SystemRoot%\\System32\\XblGameSave.dll\"
\"ServiceDllUnloadOnStop\"=dword:00000001
\"ServiceIdleTimeout\"=dword:0000003c
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof]
\"SupportedFeatures\"=dword:00000003
\"DisplayName\"=\"Windows Overlay File System Filter Driver\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"FSFilter Compression\"
\"Start\"=dword:00000000
\"Type\"=dword:00000002
\"DependOnService\"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Instances]
\"DefaultInstance\"=\"Wof Instance\"
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Instances\\Wof Instance]
\"Altitude\"=\"40700\"
\"Flags\"=dword:00000000
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Parameters]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workerdd]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workerdd\\Device0]
\"InstalledDisplayDrivers\"=hex(7):57,00,4f,00,52,00,4b,00,45,00,52,00,44,00,44,\\
  00,00,00,00,00
\"VgaCompatible\"=dword:00000000
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workfolderssvc]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\workfolderssvc.dll,-102\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"LocalService\"
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\\
  00,65,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\workfolderssvc.dll,-101\"
\"DependOnService\"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,73,00,65,00,\\
  61,00,72,00,63,00,68,00,00,00,00,00
\"ObjectName\"=\"NT AUTHORITY\\\\LocalService\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,\\
  00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\\
  65,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wpcfltr]
\"DisplayName\"=\"Family Safety Filter Driver\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"NDIS\"
\"ImagePath\"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,70,00,63,00,66,00,6c,00,74,\\
  00,72,00,2e,00,73,00,79,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000001
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wpcfltr\\Security]
\"Security\"=hex:01,00,14,80,8c,00,00,00,98,00,00,00,14,00,00,00,30,00,00,00,02,\\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\\
  00,00,02,00,5c,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\\
  20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\\
  00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,01,00,00,00,00,\\
  00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum]
\"Start\"=dword:00000003
\"DisplayName\"=\"@%SystemRoot%\\\\system32\\\\wpdbusenum.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,79,00,73,00,74,00,65,00,6d,\\
  00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,72,00,\\
  69,00,63,00,74,00,65,00,64,00,00,00
\"Type\"=dword:00000020
\"Description\"=\"@%SystemRoot%\\\\system32\\\\wpdbusenum.dll,-101\"
\"DependOnService\"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,00,\\
  61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,\\
  00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,\\
  61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,\\
  00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,\\
  74,00,65,00,50,00,65,00,72,00,6d,00,61,00,6e,00,65,00,6e,00,74,00,50,00,72,\\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,\\
  70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,\\
  00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
\"FailureActions\"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum\\BthActiveConnect]
\"ACInterval\"=dword:00000078
\"DCInterval\"=dword:000000f0
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum\\Parameters]
\"ServiceDllUnloadOnStop\"=dword:00000001"
| eval event=split(_raw,"|")
| mvexpand event
| rex field=event "(?ms)(?<event>\[.*)"
| eval _raw=event
| table _raw
``` the lines above create some sample data ```
``` extract service name with or without Parameter key ```
| rex "Services\\\\(?<SrvName>\w+)(\\\\Parameters)?\]"
``` extract other fields where they exist ```
| rex "\"Start\"=dword:(?<Start>\d+)"
| rex "\"Type\"=dword:(?<Type>\d+)"
| rex "\"ServiceDll\"=\"(?<SrvDll>[^\"]+)"
``` gather fields where service name matches ```
| stats values(*) as * by SrvName

feelcool · ‎01-21-2022

Oh no.

I push the wrong button to submit the solution!! How to change it?? Is there have Any splunk employee to help me?

ITWhisperer · ‎01-21-2022

Do you have a "Not the solution" button on the reply?

If not, don't worry about it 😀

feelcool · ‎01-22-2022

Oh!! I found it!

Thank you,ITWhisperer!!!

feelcool · ‎01-22-2022

You are so great,I feel angry with myself.I'm so stuppid.

feelcool · ‎01-22-2022

No,I Dont have this button

feelcool · ‎01-21-2022

Wow!! It works very well!

Thank you very much @ITWhisperer UR so great!

How to combine two searches into one table??

join

subsearch

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!