0

Grabbing a whole registry key for User/Host Tags

Hello,

 

Is it possible to grab a whole registry key for User/Host tagging instead of having to put each value in its own [UserHostTagging] stanza in the uberAgent.conf file?

We have a group that controls what data gets put in a particular key and we would like to not have to change the .conf file each time they add values that we want to capture.

 

Thanks

4 comments

  • Avatar
    Martin Kretzschmar Official comment

    Hi Stephen,

    What you are trying to do is not possible right now using UserHostTagging, but can be achieved by utilizing uberAgents Custom Script functionality. Please find the documentation here

  • 0
    Avatar
    Stephen Hardy

    Thank you for the response Martin.

     

    A follow-up question:  I notice that the examples in the documentation show that you proceed to 'Splunk It' - performing a splunk search to find the data.  Is there any way to key off of any of the results within the uberAgent search head app itself?  Or would that require a custom dashboard?

     

    Thanks

  • 0
    Avatar
    Stephen Hardy

    Meant to say instead of keying off the data - using that data within a filter to find those machines with one of the specific registry keys within the app - same as we can with the UserHostTagging.

     

    Thanks

  • 0
    Avatar
    Martin Kretzschmar

    Hi Stephen,

    You are absolutely right.

    It would require a custom dashboard, to visualize the data of sourcetype uberAgent:Script:*, to make it searchable in a way like you described with UserHostTagging.

Please sign in to leave a comment.