Thanks to all that responded. Below is what I ended up with. It still has some bad apples but that is not because of the search but rather something else with the system or data that is not consistent with all of the other systems. I mostly notice issues with systems that are Server 2012 or 2016. Out of roughly 300 systems they are only a few bad apples.   index=index type="Windows:UpdateList" | eval Installedon=strptime(Installedon,"%m/%d/%Y") | stats latest(Installedon) as LastUpdate by host | where LastUpdate<=relative_time(now(), "-30d") | eval LastUpdate=strftime(LastUpdate,"%m/%d/%Y") | sort LastUpdate ... View more

Thanks for the reply! This search gives me the below results. (I'm only showing a few of the results) index=endpoint_mcs_server sourcetype="Windows:UpdateList" | stats latest(Installedon) as LastPatchDate by host host LastPatchDate Computer1 09/06/2022 Computer2 09/06/2022 Computer3 09/06/2022 Computer4 09/14/2022 Computer5 09/23/2022 Computer6 10/11/2022   Would it be possible to just add to that search with something like: | Where LastPatchDate > 30d Or do I have to use | Eval ? Seems I should be able to add to the search above to only show results where LastPatchDate is older than X amount of days. Thanks again for the assistance. ... View more

Thanks for the reply Tom.   I wasn't able to get this to work the way I need it to. ... View more