Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Windows registry - local

You can monitor changes to the Registry on Windows machines with Splunk. Whether it's an entire hive or just one key, whether it's an add, change, delete or even just a read - Splunk's Registry monitoring service can collect that data and allow you to search, report and alert on it.

To get local Windows registry change data, attach Splunk to your registry:

1. From the Home page in Splunk Web, click Add data.

2. Under the To get started... banner, click Windows registry.

3. Choose Next under Windows Registry data on this Splunk server.

4. Click New.

5. On the next page, type in a name that you'll remember in the Collection Name field.

6. Click the Browse... button next to the Registry hive field to select a hive path to monitor.

7. When the tree view appears, select the hive or key that you want to monitor by clicking on the folder or document icons within the tree view.

For example, if you want to monitor the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control Registry path, in the tree view window, click once on HKEY_LOCAL_MACHINE to expand it, then SYSTEM in the expanded list, then CurrentControlSet, and finally Control. The selected Registry path always appears in the Qualified Name field at the bottom of the window.

8. Once you have chosen the desired hive or key to monitor, click Select.

9. Select the Monitor subnodes checkbox if you want Splunk to monitor all Registry key paths below the hive or node that you selected in Step 7.

Note: Be sure to read information about filtering incoming Registry events below.

10. Choose up to 7 Registry event types that you want Splunk to monitor by selecting the checkboxes beside the desired events.

Note: More information on these event types can be found in "Enable Registry monitoring in Splunk Web" in this manual.

You can usually leave the other fields unchanged, including the fields under the More settings option.

11. Click Save.

12. You'll be returned to the Registry Monitoring page. From here, you can add new Registry monitoring inputs, or click Back to Home in the upper left corner of the screen to either search through your incoming data.

Windows Registry monitoring inputs generate a lot of data. To learn how to filter that data, or for additional information about the Registry monitor inputs, review "Monitor Windows registry data" in this manual.

Last modified on 23 October, 2014
PREVIOUS
Windows event logs - many remote 		  NEXT
Windows registry - remote

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters