Hi All, (Environment) -Splunk8.0 Cloud/Splunk Heavy forwarder) I have an alert configured to give a weekly report for all windows servers (a mixture of windows server 2012 and 2016) for windows ...
See more...
Hi All, (Environment) -Splunk8.0 Cloud/Splunk Heavy forwarder) I have an alert configured to give a weekly report for all windows servers (a mixture of windows server 2012 and 2016) for windows updates. When an update installs on a server we get the report emailed to us weekly. We get verification that the windows updates got installed on all servers, except for 3 domain controllers (Windows Server 2016 domain). Could someone look at this search string and let me know if there is something missing, or should I be doing a different search criteria? Thanks in advance *************************************************************************************************** tag=Windows_Update package=* | dedup package, host | eval status=if(eventtype=="Update_Successful", "Success", if(eventtype=="Update_Failed", "Failed", "NA")) | search NOT status="NA" | stats latest(_time) as ltime, count by status, host, package | convert ctime(ltime) | eval lsuccess="Succesful at (".ltime.")" | eval lfail="Failed at (".ltime.")" | eval lstatus=if(status=="Success",lsuccess,lfail) | stats values(lstatus) as Status_History by host, package | sort host,package | eval scount=mvcount(Status_History) | eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed")) | table host, package, Last_Status, Status_History | sort host,package ********************************************************************************************* Bob