Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I get to know the status of Windows Updates...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Experts,
I'm trying to setup the Windows Forwarder on different servers to forward the status of Windows Updates to the Splunk Server. I may have missed the document on how to do this. Can you help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this to monitor windows update log file (inputs.conf entry)
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
This is available as part of Splunk TA for windows app in splunk-base. You might want to look at that as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this to monitor windows update log file (inputs.conf entry)
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
This is available as part of Splunk TA for windows app in splunk-base. You might want to look at that as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey guys !
So , I was wondering if I could get help here.Basically have the search I modified to check if windows updates were installed successfully(GOOD) or a FAIL. So, when i modified the search I found online .It says the updates were installed as a fail.But checking on the WSUS its says the updates installation was successful.So, i wondering if maybe there is something wrong with my search criteria / conditional clause. Looking forward to a feedback. 🙂
here is my search :
sourcetype=WinEventLog:System EventCode=19 tag=update | eval Date=strftime(_time, "%Y/%m/%d") | rex "\WKB(?.\d+)\W" | eval successRatio = if (status==installed, "GOOD" , "FAILED") | stats count by Date , host, package_title, KB , body , successRatio| sort host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
