Solved: How do I get to know the status of Windows Updates...

kkossery · ‎02-12-2014

Hi Experts,

I'm trying to setup the Windows Forwarder on different servers to forward the status of Windows Updates to the Splunk Server. I may have missed the document on how to do this. Can you help?

somesoni2 · ‎02-12-2014

Use this to monitor windows update log file (inputs.conf entry)

[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog

This is available as part of Splunk TA for windows app in splunk-base. You might want to look at that as well.

View solution in original post

somesoni2 · ‎02-12-2014

Use this to monitor windows update log file (inputs.conf entry)

[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog

This is available as part of Splunk TA for windows app in splunk-base. You might want to look at that as well.

idab · ‎08-25-2015

Hey guys !

So , I was wondering if I could get help here.Basically have the search I modified to check if windows updates were installed successfully(GOOD) or a FAIL. So, when i modified the search I found online .It says the updates were installed as a fail.But checking on the WSUS its says the updates installation was successful.So, i wondering if maybe there is something wrong with my search criteria / conditional clause. Looking forward to a feedback. 🙂

here is my search :
sourcetype=WinEventLog:System EventCode=19 tag=update | eval Date=strftime(_time, "%Y/%m/%d") | rex "\WKB(?.\d+)\W" | eval successRatio = if (status==installed, "GOOD" , "FAILED") | stats count by Date , host, package_title, KB , body , successRatio| sort host

kkossery · ‎02-12-2014

Thanks a lot!

How do I get to know the status of Windows Updates from different Windows servers

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms