Documentation > Splunk > Admin Manual > procmon-filters.conf

Admin Manual

 


Welcome
What to do first
Start Splunk
Meet Splunk Web and Splunk Apps
Before you configure
Add data and configure inputs
Indexing and event processing
Timestamps
Add and manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Set up forwarding and receiving
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

procmon-filters.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

procmon-filters.conf

The following are the spec and example files for procmon-filters.conf.

procmon-filters.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.0 
#
# This file contains potential attribute/value pairs to use when configuring Windows registry
# monitoring. The procmon-filters.conf file is used in conjunction with sysmon.conf, and 
# contains the specific regular expressions you create to refine and filter the processes
# you want Splunk to monitor. You must restart Splunk to enable configurations. 
# 
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

[<stanza name>]
	* Name of the filter being defined.

proc = <string>
	* Regex specifying process image that you want Splunk to monitor.

type = <string>
	* Regex specifying the type(s) of process event that you want Splunk to monitor. 
        This must be a subset of those defined for the event_types attribute in regmon-filters.conf.

hive = <string>
	* Not used in this contexted, but should always have value ".*"

procmon-filters.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.0 
#
# This file contains example registry monitor filters. To create your own filter, use 
# the information in procmon-filters.conf.spec.
#
# To use one or more of these configurations, copy the configuration block into
# procmon-filters.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

[default]
hive = .*

[not-splunk-optimize]
proc = (?<!splunk-optimize.exe)$
type = create|exit|image
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.3/Admin/Procmon-filtersconf"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!