Hi, I've managed to use a few subsearches in the past with pretty good success but this one is troubling myself and a colleague, our windows event logs are pipped into splunk, it would be great if we could use the following query to find any servers that have not been patched in the last 'x' days, here are the two searches that work independently;
Last 'x' days
index=winevent EventCode=19 Message="Installation Successful*"|transaction host|fields host
Specific time window
index=winevent EventCode=19 Message="Installation Successful*" earliest="09/01/2015:00:00:00" latest="10/16/2015:00:00:00"| transaction host | table host
The second search has a date time range in it, to generate a list of all servers that were patched in that window, (found this to be a good way of getting a list of servers that should have been patched). I tried to put them together to make this;
index=winevent host NOT [search index=winevent EventCode=19 Message="Installation Successful*"|transaction host|fields host] EventCode=19 Message="Installation Successful*" earliest="09/01/2015:00:00:00" latest="10/16/2015:00:00:00"| transaction host | table host
but it fails, any ideas where I'm going wrong
... View more