Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I display hosts which do not have AntiVirus installed but require it in Splunk Enterprise Security?

daniel333
Builder
‎03-21-2017 02:15 PM

All,

Might just be lack of caffeine here. But I can't quite get this subsearch working.

I have my assets.csv setup for Splunk Enterprise Security (ES) -
dest_requires_av=True

I can see hosts checking in with with malware logs with
tag=malware

How can I made a dashboard that basically says
"If AV (AntiVirus) is required, and no AV logs are found, list hosts in a table"

Something like 

|inputlookup assets.csv | [my subsearch] | table myhosts...
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-21-2017 06:31 PM

Hi daniel333,

something like this should get you started:

  | inputlookup assets.csv | search NOT [  search the search to return AV logs | dedup host | fields host ]

You could also use inputlookup append=t and stats to count the host

  search to get the av logs | inputlookup append=t assets.csv | stats dc(host) AS count | where count < 2

the second one is untested, but will handle large amounts of events faster 😉

Hope this helps ...

cheers, MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...