Windows Updates Alerts Works Not Working For 3 Domain Controllers


Hi All,

We monitor 29 windows servers in our environment with a mixture of server2012, 2016 and 2019. The following search gives me updates for all of our windows servers, except for 3 Windows Server2016 Domain controllers.  We use the following search criteria:


tag=Windows_Update package=*
| dedup package, host
| eval status=if(eventtype=="Update_Successful", "Success", if(eventtype=="Update_Failed", "Failed", "NA"))
| search NOT status="NA"
| stats latest(_time) as ltime, count by status, host, package
| convert ctime(ltime)
| eval lsuccess="Succesful at (".ltime.")"
| eval lfail="Failed at (".ltime.")"
| eval lstatus=if(status=="Success",lsuccess,lfail)
| stats values(lstatus) as Status_History by host, package
| sort host,package
| eval scount=mvcount(Status_History)
| eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed"))
| table host, package, Last_Status, Status_History
| sort host,package


Any thoughts on why we do not see updates for the 3 domain controllers?



Labels (1)
0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...