https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252683#M189346 <P>Hi, I've managed to use a few subsearches in the past with pretty good success but this one is troubling myself and a colleague, our windows event logs are pipped into splunk, it would be great if we could use the following query to find any servers that have not been patched in the last 'x' days, here are the two searches that work independently;</P> <P>Last 'x' days<BR /> index=winevent EventCode=19 Message="Installation Successful*"|transaction host|fields host<BR /> Specific time window<BR /> index=winevent EventCode=19 Message="Installation Successful*" earliest="09/01/2015:00:00:00" latest="10/16/2015:00:00:00"| transaction host | table host</P> <P>The second search has a date time range in it, to generate a list of all servers that were patched in that window, (found this to be a good way of getting a list of servers that should have been patched). I tried to put them together to make this;</P> <P>index=winevent host NOT [search index=winevent EventCode=19 Message="Installation Successful*"|transaction host|fields host] EventCode=19 Message="Installation Successful*" earliest="09/01/2015:00:00:00" latest="10/16/2015:00:00:00"| transaction host | table host</P> <P>but it fails, any ideas where I'm going wrong</P> Tue, 29 Sep 2020 08:00:37 GMT jbeckwith 2020-09-29T08:00:37Z https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252683#M189346 <P>Hi, I've managed to use a few subsearches in the past with pretty good success but this one is troubling myself and a colleague, our windows event logs are pipped into splunk, it would be great if we could use the following query to find any servers that have not been patched in the last 'x' days, here are the two searches that work independently;</P> <P>Last 'x' days<BR /> index=winevent EventCode=19 Message="Installation Successful*"|transaction host|fields host<BR /> Specific time window<BR /> index=winevent EventCode=19 Message="Installation Successful*" earliest="09/01/2015:00:00:00" latest="10/16/2015:00:00:00"| transaction host | table host</P> <P>The second search has a date time range in it, to generate a list of all servers that were patched in that window, (found this to be a good way of getting a list of servers that should have been patched). I tried to put them together to make this;</P> <P>index=winevent host NOT [search index=winevent EventCode=19 Message="Installation Successful*"|transaction host|fields host] EventCode=19 Message="Installation Successful*" earliest="09/01/2015:00:00:00" latest="10/16/2015:00:00:00"| transaction host | table host</P> <P>but it fails, any ideas where I'm going wrong</P> Tue, 29 Sep 2020 08:00:37 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252683#M189346 jbeckwith 2020-09-29T08:00:37Z https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252684#M189347 <P>Try</P> <PRE><CODE>index=winevent EventCode=19 Message="Installation Successful*" NOT [index=winevent EventCode=19 Message="Installation Successful*" earliest="09/01/2015:00:00:00" latest="10/16/2015:00:00:00"|dedup host | fields host] | dedup host | fields host </CODE></PRE> Mon, 30 Nov 2015 16:08:43 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252684#M189347 jplumsdaine22 2015-11-30T16:08:43Z https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252685#M189348 <P>Ah dedup, thank you!</P> <PRE><CODE>index=winevent EventCode=19 Message="Installation Successful*" earliest="09/01/2015:00:00:00" latest="10/30/2015:00:00:00" NOT [search index=winevent EventCode=19 Message="Installation Successful*"|dedup host | fields host] | dedup host | fields host | table host </CODE></PRE> <P>Once I put the query the right way around it works a treat, got my list of servers that haven't been patched in that time window</P> Mon, 30 Nov 2015 17:31:42 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252685#M189348 jbeckwith 2015-11-30T17:31:42Z https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252686#M189349 <P>If you're not already, recommend splunking the windowsupdate.log file too. Can do what you're looking for here as well as tell you how many patches are needed etc. </P> Tue, 01 Dec 2015 05:25:18 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252686#M189349 brooklynotss 2015-12-01T05:25:18Z https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252687#M189350 <P>No problem. Do you mind accepting the answer? To help future forum users <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Cheers,</P> <P>JP</P> Tue, 01 Dec 2015 12:40:43 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-help-windows-patching/m-p/252687#M189350 jplumsdaine22 2015-12-01T12:40:43Z