Sure thing,
Search 1: This gets us the uninstall event
index=wineventlog sourcetype="WinEventLog:Application" host!=DEV* host!=MIR* host!=TST host!=TMP* (EventCode=11724 OR EventCode=1034)
| rex field=Message "(?s)Product: (?.) --|(?s)Product\sName:\s(?.).\sProduct\sVersion"
| rex field=Message "--\s(?.).|(?.).\sProduct\sName:"
| rex field=Message "error\sstatus:\s(?\d*)."
| eval Software=coalesce(product_name,product_names)
| eval Result=coalesce(action,actions)
| lookup AccountNameSid objectSid as Sid
| eval user=if(isnull(sAMAccountName), "User Not Defined", "")
| eval "Uninstalled By"=coalesce(sAMAccountName,user)
| search Software="[PRODUCT] Result="remov" error_code="0"
| fields _time host Software Result "Uninstalled By" Message
| table _time host Software Result "Uninstalled By"
| rename _time as "Date/Time" host as Host
| convert timeformat="%Y/%m/%d %H:%M:%S" ctime("Date/Time")
Search 2: This gets us the Install event
index=wineventlog sourcetype="WinEventLog:Application" host!=DEV* host!=MIR* host!=TST host!=TMP* (EventCode=11707 OR EventCode=1033)
| rex field=Message "(?s)Product: (?.) --|(?s)Product\sName:\s(?.).\sProduct\sVersion"
| rex field=Message "--\s(?.).|(?.).\sProduct\sName:"
| rex field=Message "error\sstatus:\s(?\d*)."
| eval Software=coalesce(product_name,product_names)
| eval Result=coalesce(action,actions)
| lookup AccountNameSid objectSid as Sid
| eval user=if(isnull(sAMAccountName), "User Not Defined", "")
| eval "Installed By"=coalesce(sAMAccountName,user)
| search Software="[PRODUCT]*"
| fields _time host Software Result "Installed By" Message
| table _time host Software Result "Installed By"
| rename _time as "Date/Time" host as Host
| convert timeformat="%Y/%m/%d %H:%M:%S" ctime("Date/Time")
Please feel free to modify the searches, there is quite a few things in there to make it more friendly to the people who would read this. Thanks again for the help.
... View more