S/N or S_N, how Splunk rename it, is just a name for serial number that i put it there, in the hope that Splunk would know to get all data of a key and make it into one cassette/cell. What is 1 is a key in registry. Keep in mind that i didn't imported data in Splunk just yet. I'm looking for alteranatives as just how i could import it in Splunk so i can better understand it. Your code, i assume, would work in search field, right? What i was asking was how could i import it better so i can work with it better. My main questions are: 1. If i put a kind of serial number to all keys, Splunk would know what is what and where it needs to go? Example: This is the original file [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog]
"FlushTimer"=dword:00000000
"ClockType"=dword:00000001
"BufferSize"=dword:00000001
"FileMax"=dword:00000005
"MaxFileSize"=dword:00000005
"Guid"="{C0D58A38-5115-43d8-A762-227AC8CA1B5D}"
"FileName"="%SystemRoot%\\System32\\LogFiles\\AIT\\AitEventLog.etl"
"LogFileMode"=dword:01001282
"Start"=dword:00000000
"FileCounter"=dword:00000003
"Status"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog\{6ADDABF4-8C54-4eab-BF4F-FBEF61B62EB0}]
"Enabled"=dword:00000001
"MatchAnyKeyword"=hex(b):00,00,00,00,00,00,00,00
"Status"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio]
"GUID"="{15BC788A-6A38-4D79-8773-B53FDFB84D79}"
"FileName"=""
"MaxFileSize"=dword:00000002
"LogFileMode"=dword:10008400
"Start"=dword:00000000
"ClockType"=dword:00000002
"Status"=dword:00000000 This would be the serialized file 1,[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog]
1,FlushTimer=dword:00000000
1,ClockType=dword:00000001
1,BufferSize=dword:00000001
1,FileMax=dword:00000005
1,MaxFileSize=dword:00000005
1,"Guid=""{C0D58A38-5115-43d8-A762-227AC8CA1B5D}"""
1,"FileName=""%SystemRoot%\\System32\\LogFiles\\AIT\\AitEventLog.etl"""
1,LogFileMode=dword:01001282
1,Start=dword:00000000
1,FileCounter=dword:00000003
1,Status=dword:00000000
,
2,[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog\{6ADDABF4-8C54-4eab-BF4F-FBEF61B62EB0}]
2,Enabled=dword:00000001
2,"MatchAnyKeyword=hex(b):00,00,00,00,00,00,00,00"
2,Status=dword:00000000
,
3,[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio]
3,"GUID=""{15BC788A-6A38-4D79-8773-B53FDFB84D79}"""
3,"FileName="""""
3,MaxFileSize=dword:00000002
3,LogFileMode=dword:10008400
3,Start=dword:00000000
3,ClockType=dword:00000002
3,Status=dword:00000000 2 If i want to, can i, could i make, let's say "...\AITEventLog]" look more like this type of records? 20220103111740.000000
Category=12551
CategoryString=Other Logon/Logoff Events
EventCode=4803
EventIdentifier=4803
EventType=4
Logfile=Security
RecordNumber=105722
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20220103091740.977733-000
TimeWritten=20220103091740.977733-000
Type=Audit Success
User=NULL
ComputerName=XXXXXX
wmi_type=WinEventLog:Security
Message=The screen saver was dismissed. And how could i do that? How can i tell Splunk to get data from that file and show i to me like this? Thank you for your time.
... View more