Hi All, We monitor 29 windows servers in our environment with a mixture of server2012, 2016 and 2019. The following search gives me updates for all of our windows servers, except for 3 Windows Server2016 Domain controllers. We use the following search criteria: **************************************************************************************************** tag=Windows_Update package=* | dedup package, host | eval status=if(eventtype=="Update_Successful", "Success", if(eventtype=="Update_Failed", "Failed", "NA")) | search NOT status="NA" | stats latest(_time) as ltime, count by status, host, package | convert ctime(ltime) | eval lsuccess="Succesful at (".ltime.")" | eval lfail="Failed at (".ltime.")" | eval lstatus=if(status=="Success",lsuccess,lfail) | stats values(lstatus) as Status_History by host, package | sort host,package | eval scount=mvcount(Status_History) | eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed")) | table host, package, Last_Status, Status_History | sort host,package ********************************************************************************************** Any thoughts on why we do not see updates for the 3 domain controllers? Thanks, Bob
... View more