I want to first point out that using raw events to correlate two different datasets usually do not end very well because the two datasets may not have exact matches in _time field. If you are confid...
See more...
I want to first point out that using raw events to correlate two different datasets usually do not end very well because the two datasets may not have exact matches in _time field. If you are confident that the two datasets' _time field do not differ by a certain amount, using a time bucket could remedy that, although there can be other side effects you may need to deal with. This said, if the data models have perfectly matching _time, you can use stats to correlate them. | datamodel Updates Updates search
| rename Updates.dvc as host
| rename Updates.status as "Update Status"
| rename Updates.vendor_product as Product
| rename Updates.signature as "Installed Update"
| eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0)
| `security_content_ctime(lastTime)`
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| rename lastTime as "Last Update Time",
| table time host "Update Status" "Installed Update"
| `no_windows_updates_in_a_time_frame_filter`
[datamodel Updates Update_Errors search
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| table time, host, _raw]
| stats values(*) as * values(_raw) as _raw by time host