Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Windows Updates Monitoring
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows Updates Monitoring
Hi All,
(Environment)
-Splunk8.0 Cloud/Splunk Heavy forwarder)
I have an alert configured to give a weekly report for all windows servers (a mixture of windows server 2012 and 2016) for windows updates. When an update installs on a server we get the report emailed to us weekly. We get verification that the windows updates got installed on all servers, except for 3 domain controllers (Windows Server 2016 domain). Could someone look at this search string and let me know if there is something missing, or should I be doing a different search criteria? Thanks in advance
***************************************************************************************************
tag=Windows_Update package=*
| dedup package, host
| eval status=if(eventtype=="Update_Successful", "Success", if(eventtype=="Update_Failed", "Failed", "NA"))
| search NOT status="NA"
| stats latest(_time) as ltime, count by status, host, package
| convert ctime(ltime)
| eval lsuccess="Succesful at (".ltime.")"
| eval lfail="Failed at (".ltime.")"
| eval lstatus=if(status=="Success",lsuccess,lfail)
| stats values(lstatus) as Status_History by host, package
| sort host,package
| eval scount=mvcount(Status_History)
| eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed"))
| table host, package, Last_Status, Status_History
| sort host,package
*********************************************************************************************
Bob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Much of what you are doing does not make much sense.
The initial dedup will give you exactly one record for each host and package, so all the following logic that presumes there is anything to count, or any MV in the records, is not needed.
The latest() aggregate function for stats will pull you the last value, so you don't even have to dedup.
So, this gets you the equivalent output of what you wrote.
tag=Windows_Update package=* host=*
| fields host package eventtype
| stats latest(_time) as _time latest(eventtype) as eventtype by host package
| eval status=case(eventtype=="Update_Successful", "Successful at ("._time.")",
eventtype=="Update_Failed", "Failed at ("._time.")",
true(),"NA")
| table host package status
Now, if you wanted a history, including the last value, then you could do something like this:
tag=Windows_Update package=* host=*
(eventtype=="Update_Successful" OR eventtype=="Update_Failed")
| fields host package eventtype
| eval status=case(eventtype=="Update_Successful", "Successful at ("._time.")",
eventtype=="Update_Failed", "Failed at ("._time.")")
| sort 0 host package - _time
| stats latest(status) as Last_Status list(status) as Status_History by host package
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dal, would you please help with how I receive alerts from Heavy Forwarders when their data amount drop below say 20% of the daily total? We have only a few HFs but many UFs both in Win / Linux environment. Thanx very much in advance.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
