Filter away pattern on windows event log report

keyu921 · ‎09-19-2020

Current report for the following event log

index=windows EventType=4 host=* | table _time host EventCode Message

///

EventType=4
Type=Information
ComputerName=NOYO.asus.com
Message=Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.323.1450.0)

//

I try to filter away if event if message contains Security Intelligence Update for Microsoft Defender Antivirus

index=windows EventType=4 host=*
| where Message="%Security Intelligence Update for Microsoft Defender Antivirus%"
| table _time host EventCode Message

But seems message cannot filter

thambisetty · ‎09-19-2020

Where command is used to compare two field values or check if field value is less or greater than a given number.

read about where and search commands in search reference.

https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Where

————————————
If this helps, give a like below.

gcusello · ‎09-19-2020

Hi @keyu921,

please try this:

index=windows  EventType=4 host=* Message="*Security Intelligence Update for Microsoft Defender Antivirus*"
| table _time host EventCode Message

Ciao.

Giuseppe

Filter away pattern on windows event log report

table

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest