My windows hosts should have 'WinEventLog:Security' and Script:InstalledUpdates.
How can I search for hosts that have Script:InstalledUpdates but is missing 'WinEventLog:Security' ?
Thank you
Try this:
| tstats values(sourcetype) as sourcetypes where index=yourindex by host
| search sourcetypes="Script:InstalledUpdates" NOT sourcetypes="WinEventLog:Security"
Try this:
| tstats values(sourcetype) as sourcetypes where index=yourindex by host
| search sourcetypes="Script:InstalledUpdates" NOT sourcetypes="WinEventLog:Security"
Thank you!