Hello!
I need some help filtering Windows registry events in Splunk. Here is my inputs.conf file
[WinRegMon://default]
disabled = 0
hive = .*
proc = .(?!symantec|google)([a-z0-9*]+)$
type = rename|set|delete|create
index = windows
As you can see in proc, I am trying to remove all entries which have the word sDymantec and google, but I have had no success.
Could anyone provide a way they are doing this or a suggestion?
Thank you!
↧