Solved: Monitor Unsuccessful Windows Updates

test_qweqwe · ‎11-21-2017

How to change this search to show Unsuccessful/Failed Windows Updates?
sourcetype=WinEventLog:System EventCode=19 | eval Date=strftime(_time, "%Y/%m/%d") | rex "\WKB(?.\d+)\W" | eval successRatio=mvindex(split(Keywords,","),-1) | stats count by Date , host, package_title, KB , body , successRatio| sort host

elliotproebstel · ‎11-21-2017

I think your field extractions are different from mine, but I'll take a stab here. You definitely have an issue with the rex command, because that's not proper syntax. Give this a shot:

rex field=Message "\WKB(?<KB>\d+)\W"

If you still aren't getting the results you expect, try removing the | stats count... portion of the search and ensure that all of the fields you specify are present: Date, host, package_title, KB, body, and successRatio.

View solution in original post

elliotproebstel · ‎11-21-2017

I think your field extractions are different from mine, but I'll take a stab here. You definitely have an issue with the rex command, because that's not proper syntax. Give this a shot:

rex field=Message "\WKB(?<KB>\d+)\W"

If you still aren't getting the results you expect, try removing the | stats count... portion of the search and ensure that all of the fields you specify are present: Date, host, package_title, KB, body, and successRatio.

test_qweqwe · ‎11-21-2017

index=* (sourcetype="*WinEventLog:System" OR sourcetype="WindowsUpdateLog") (KB*) | stats latest(status) as lastStatus by _time, dest, signature, signature_id | search lastStatus=failure

This working

Monitor Unsuccessful Windows Updates

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows