Might just be lack of caffeine here. But I can't quite get this subsearch working.
I have my assets.csv setup for Splunk Enterprise Security (ES) -
I can see hosts checking in with with malware logs with
How can I made a dashboard that basically says
"If AV (AntiVirus) is required, and no AV logs are found, list hosts in a table"
|inputlookup assets.csv | [my subsearch] | table myhosts...
something like this should get you started:
| inputlookup assets.csv | search NOT [ search the search to return AV logs | dedup host | fields host ]
You could also use inputlookup append=t and stats to count the host
search to get the av logs | inputlookup append=t assets.csv | stats dc(host) AS count | where count < 2
the second one is untested, but will handle large amounts of events faster 😉
Hope this helps ...