Current report for the following event log
index=windows EventType=4 host=* | table _time host EventCode Message
///
EventType=4
Type=Information
ComputerName=NOYO.asus.com
Message=Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.323.1450.0)
//
I try to filter away if event if message contains Security Intelligence Update for Microsoft Defender Antivirus
index=windows EventType=4 host=*
| where Message="%Security Intelligence Update for Microsoft Defender Antivirus%"
| table _time host EventCode Message
But seems message cannot filter
Where command is used to compare two field values or check if field value is less or greater than a given number.
read about where and search commands in search reference.
https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Where
Hi @keyu921,
please try this:
index=windows EventType=4 host=* Message="*Security Intelligence Update for Microsoft Defender Antivirus*"
| table _time host EventCode Message
Ciao.
Giuseppe