Hi All,

We monitor 29 windows servers in our environment with a mixture of server2012, 2016 and 2019. The following search gives me updates for all of our windows servers, except for 3 Windows Server2016 Domain controllers.  We use the following search criteria:

****************************************************************************************************

tag=Windows_Update package=*
| dedup package, host
| eval status=if(eventtype=="Update_Successful", "Success", if(eventtype=="Update_Failed", "Failed", "NA"))
| search NOT status="NA"
| stats latest(_time) as ltime, count by status, host, package
| convert ctime(ltime)
| eval lsuccess="Succesful at (".ltime.")"
| eval lfail="Failed at (".ltime.")"
| eval lstatus=if(status=="Success",lsuccess,lfail)
| stats values(lstatus) as Status_History by host, package
| sort host,package
| eval scount=mvcount(Status_History)
| eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed"))
| table host, package, Last_Status, Status_History
| sort host,package

**********************************************************************************************

Any thoughts on why we do not see updates for the 3 domain controllers?

Thanks,

Bob