Looking at my indexes, and I see that index Windows (which was created by Splunk_TA_windows)
I have about 90% of these events with
event_status="(0)The operation completed successfully."
pid=944
process_image="c:\Windows\System32\svchost.exe"
registry_type="CreateKey"
key_path="HKLM\software\classes"
data_type="REG_NONE"
data=""
This is a pretty useless event I think. What would be the best way to exclude this from being picked up by Splunk? I don't typically try to exclude things, but in the last 30 day sample - this event accounts for 92% of the events in that index. It would be nice to cut that chunk of useless data out.
Unless I am wrong, should I leave this one for some unknown reason?
I would want to change this on the deployment server:
/opt/splunk/etc/deployment-apps/Splunk_TA_windows/default/props.conf
so that it can get pushed out to all the hosts I would assume?
I think this is the section that is pulling those events. Not sure, but only reference (via sos) that shows WinRegistry as source
[source::....winregistry]
sourcetype = WinRegistry
LINE_BREAKER = ([\r\n]+)\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\.\d+
## WinRegistry endpoint changes
## Required fields: action,dest,object,object_category,object_path,status,user
## Optional fields: object_id,object_attrs,user_type,msg,data,severity
[WinRegistry]
REPORT-object_object_path_for_WinRegistry = object_object_path_for_WinRegistry
REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry
REPORT-user_for_WinRegistry = user_for_WinRegistry
# data is already set via KV field extraction
Thanks
John
... View more