(imported topic written by JasonWalker)
I was wondering if there is a way to reuse a property defined in an analysis, somewhere later in the analysis? As a simple example, let’s say I want to locate the Uninstall registry key of the Splunk product, and display several values of it in an Analysis. What I have to start with is:
SplunkInstalled:
exists (keys of (key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall” of native registry)) whose (value “DisplayName” of it = “Universal Forwarder” and value “Publisher” of it=“Splunk, Inc.”)
SplunkUninstallRegKey:
(keys of (key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall” of native registry)) whose (value “DisplayName” of it = “Universal Forwarder” and value “Publisher” of it=“Splunk, Inc.”)
InstallLocation:
value “InstallLocation” of (keys of (key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall” of native registry)) whose (value “DisplayName” of it = “Universal Forwarder” and value “Publisher” of it=“Splunk, Inc.”)
Version:
value “DisplayVersion” of (keys of (key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall” of native registry)) whose (value “DisplayName” of it = “Universal Forwarder” and value “Publisher” of it=“Splunk, Inc.”)
I’d like to stop repeating the whole (keys of (key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall” of native registry)) whose (value “DisplayName” of it = “Universal Forwarder” and value “Publisher” of it=“Splunk, Inc.”) line, and instead use the result of the second property “SplunkUninstallRegKey”. So I would hope to end up with something like
InstallLocation:
value “InstallLocation” of SplunkUninstallRegKey of native registry
Version:
value “DisplayVersion” of SplunkUninstallRegKey of native registry
Is there any way to do that in an analysis? I know this is a trivial example, but in similar analysis of files on the system that might exist in Program Files or in Program Files (x86), it would save me a lot of typing & improve readability if I can reuse an analysis property in this way.