https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528802#M149302 <P>I tried this way but I didn't receive any result. I am a newbie in Splunk <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</P><P>What do you think about this way?:</P><P>I can search all events with a successful update using regex search&nbsp;</P><P>source="WinEventLog:System" | regex Message = "KB5555555" and for example i receive a few events from two hosts. <STRONG>First question</STRONG>: How I can create a table with a list of these hosts?</P><P><SPAN>As I guess, then I can't use a search like "source="WinEventLog:System" | regex not Message = "KB5555555"" to find all hosts without this update because this search won't show any events.&nbsp;&nbsp;</SPAN></P><P><SPAN>I'm stumped <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</SPAN></P> Tue, 10 Nov 2020 09:32:40 GMT ivan123357 2020-11-10T09:32:40Z https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528559#M149255 <P>Hello! I am new in Splunk Search.&nbsp;&nbsp;</P><P>I am using this query to find all hosts&nbsp;<SPAN>to which a specific update was installed:</SPAN></P><P>source="WinEventLog:System" | search "KB4579311" | stats last(Keywords) as lastStatus by _time, host | search lastStatus="Installation, Failure”</P><P>But I need a query to find all hosts and create a table with hosts to which this update wasn't installed.&nbsp;<SPAN>It turns out that I need to display all hosts that were not found in the request above. Need help with it. Thank you!</SPAN></P> Mon, 09 Nov 2020 17:08:43 GMT https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528559#M149255 ivan123357 2020-11-09T17:08:43Z https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528579#M149261 <P>Finding something that is not there is not Splunk's strong suit.&nbsp; See this blog entry for a good write-up on it.<BR /><BR /><A href="https://www.duanewaddle.com/proving-a-negative/" target="_blank">https://www.duanewaddle.com/proving-a-negative/</A></P> Mon, 09 Nov 2020 18:15:59 GMT https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528579#M149261 richgalloway 2020-11-09T18:15:59Z https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528581#M149262 <P>Thank you for your answer!</P><P><SPAN>If think logically, then I need to display hosts in the logs of which a certain number of updates is NOT found, which I indicate in the search. For example:</SPAN></P><P>source="WinEventLog:System" EventCode=19 | stats by host |where NOT like(Message, " Update_Number"). But this search shows all events without this string(update number) but I need only a list of hosts.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Nov 2020 18:24:28 GMT https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528581#M149262 ivan123357 2020-11-09T18:24:28Z https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528692#M149265 Hi<BR />I think this should work<BR />- get list of all your wndows hosts to lookup (e.g. once a week)<BR />- query hosts which have this fix applied<BR />- use previous lookup within above query to get list of nodes which haven’t this fix installed.<BR />There is quite many examples how this could do.<BR />r. Ismo Mon, 09 Nov 2020 19:29:20 GMT https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528692#M149265 isoutamo 2020-11-09T19:29:20Z https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528728#M149267 <P>Hello!</P><P>Sounds great. I will try it now.&nbsp;</P><P>Can you give me an example too or a URL to documentation? <SPAN>It would be cool if I had a fewexamples</SPAN></P> Mon, 09 Nov 2020 19:51:22 GMT https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528728#M149267 ivan123357 2020-11-09T19:51:22Z https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528733#M149271 This is one version of your challenge <A href="https://community.splunk.com/t5/Getting-Data-In/How-to-create-an-alert-for-the-host-not-sending-data-for-an-hour/m-p/407769" target="_blank">https://community.splunk.com/t5/Getting-Data-In/How-to-create-an-alert-for-the-host-not-sending-data-for-an-hour/m-p/407769</A><BR />r. Ismo Mon, 09 Nov 2020 20:16:52 GMT https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528733#M149271 isoutamo 2020-11-09T20:16:52Z https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528802#M149302 <P>I tried this way but I didn't receive any result. I am a newbie in Splunk <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</P><P>What do you think about this way?:</P><P>I can search all events with a successful update using regex search&nbsp;</P><P>source="WinEventLog:System" | regex Message = "KB5555555" and for example i receive a few events from two hosts. <STRONG>First question</STRONG>: How I can create a table with a list of these hosts?</P><P><SPAN>As I guess, then I can't use a search like "source="WinEventLog:System" | regex not Message = "KB5555555"" to find all hosts without this update because this search won't show any events.&nbsp;&nbsp;</SPAN></P><P><SPAN>I'm stumped <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</SPAN></P> Tue, 10 Nov 2020 09:32:40 GMT https://community.splunk.com/t5/Splunk-Search/Search-hosts-Windows-updates/m-p/528802#M149302 ivan123357 2020-11-10T09:32:40Z