How to search if Windows update was installed succ...

idab · ‎08-26-2015

Hi guys,

I modified a search we found online to show us what updates were installed successfully or not. The problem is, it says a fail on Splunk, but when we check the servers and WSUS, it says the updates were successfully installed. What would be the best way to write the search to check if the it was a good or failed installation?

Here is the search :

sourcetype=WinEventLog:System EventCode=19  tag=update | eval Date=strftime(_time, "%Y/%m/%d") | rex "\WKB(?<KB>.\d+)\W" | eval successRatio = if (status==installed, "GOOD" , "FAILED") | stats count by Date , host, package_title, KB , body , successRatio| sort host

Looking forward to ideas or response on this.

Thanks guys.

somesoni2 · ‎08-26-2015

If you see the field "Keywords" in your logs, try something like this

index=main sourcetype=WinEventLog:System EventCode=19  | eval Date=strftime(_time, "%Y/%m/%d") | rex "\WKB(?<KB>.\d+)\W" | eval successRatio=mvindex(split(Keywords,","),-1) | stats count by Date , host, package_title, KB , body , successRatio| sort host

idab · ‎08-26-2015

Thanks for the feedback somesoni2,
This was nicely done ; but i noticed the keywords on my log shows only what was installed and not the failed updates.
Any idea on how to find or get the information regarding the updates that failed during installation on the host ? If only there was way to recreate the above search to check for unsuccessful updates?

How to search if Windows update was installed successfully or not on multiple servers?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases