The following splunk query will return results on any Windows Updates (Patches) that have been applied by searching for the KB value associated with the EventID. sourcetype=WinEventLog:System EventCode=19 | eval Date=strftime(_time, “%Y/%m/%d”)| rex “\WKB(?<KB>.\d+)\W” |stats count by Date, host, KB