Pending Windows Updates

Comments

1 comment

  • Official comment
    Avatar
    Matt Sullivan

    sorry for delay, just spotted this one. not sure if true for every version of windows, but downloaded is eventcode 17 from the update client. this event can have multiple patches that need to be installed. here's something that I think could extract downloaded win updates. it's a starting point only, just replace xxx with your source category.

    _sourceCategory=xxx _sourceName=System "EventCode = 17;" WindowsUpdateClient
    | parse "InsertionStrings = {\"*\"};" as insertionstrings nodrop
    | parse regex field=insertionstrings "(?<winupdate>.*)\n" multi nodrop
    | count _sourcehost, winupdate

    I could envision doing a transaction on a concat of sourcehost and winupdate to see if an event code 19 followed for each, but I think the more common use case is to just look for fail event code 20s, as exists in the Sumo Logic Windows app that you can install to borrow code.

Please sign in to leave a comment.