Splunk Enterprise Security

Monitor Unsuccessful Windows Updates

Builder

How to change this search to show Unsuccessful/Failed Windows Updates?
sourcetype=WinEventLog:System EventCode=19 | eval Date=strftime(time, "%Y/%m/%d") | rex "\WKB(?.\d+)\W" | eval successRatio=mvindex(split(Keywords,","),-1) | stats count by Date , host, packagetitle, KB , body , successRatio| sort host

0 Karma
1 Solution

I think your field extractions are different from mine, but I'll take a stab here. You definitely have an issue with the rex command, because that's not proper syntax. Give this a shot:

rex field=Message "\WKB(?<KB>\d+)\W"

If you still aren't getting the results you expect, try removing the | stats count... portion of the search and ensure that all of the fields you specify are present: Date, host, package_title, KB, body, and successRatio.

View solution in original post

I think your field extractions are different from mine, but I'll take a stab here. You definitely have an issue with the rex command, because that's not proper syntax. Give this a shot:

rex field=Message "\WKB(?<KB>\d+)\W"

If you still aren't getting the results you expect, try removing the | stats count... portion of the search and ensure that all of the fields you specify are present: Date, host, package_title, KB, body, and successRatio.

View solution in original post

Builder

index=* (sourcetype="*WinEventLog:System" OR sourcetype="WindowsUpdateLog") (KB*) | stats latest(status) as lastStatus by _time, dest, signature, signature_id | search lastStatus=failure

This working

0 Karma