Hello,
Is it possible to grab a whole registry key for User/Host tagging instead of having to put each value in its own [UserHostTagging] stanza in the uberAgent.conf file?
We have a group that controls what data gets put in a particular key and we would like to not have to change the .conf file each time they add values that we want to capture.
Thanks
Hi Stephen,
What you are trying to do is not possible right now using UserHostTagging, but can be achieved by utilizing uberAgents Custom Script functionality. Please find the documentation here.
Thank you for the response Martin.
A follow-up question: I notice that the examples in the documentation show that you proceed to 'Splunk It' - performing a splunk search to find the data. Is there any way to key off of any of the results within the uberAgent search head app itself? Or would that require a custom dashboard?
Thanks
Meant to say instead of keying off the data - using that data within a filter to find those machines with one of the specific registry keys within the app - same as we can with the UserHostTagging.
Thanks
Hi Stephen,
You are absolutely right.
It would require a custom dashboard, to visualize the data of sourcetype uberAgent:Script:*, to make it searchable in a way like you described with UserHostTagging.