Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I display hosts which do not have AntiVirus installed but require it in Splunk Enterprise Security?

daniel333
Builder
‎03-21-2017 02:15 PM

All,

Might just be lack of caffeine here. But I can't quite get this subsearch working.

I have my assets.csv setup for Splunk Enterprise Security (ES) -
dest_requires_av=True

I can see hosts checking in with with malware logs with
tag=malware

How can I made a dashboard that basically says
"If AV (AntiVirus) is required, and no AV logs are found, list hosts in a table"

Something like 

|inputlookup assets.csv | [my subsearch] | table myhosts...
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-21-2017 06:31 PM

Hi daniel333,

something like this should get you started:

  | inputlookup assets.csv | search NOT [  search the search to return AV logs | dedup host | fields host ]

You could also use inputlookup append=t and stats to count the host

  search to get the av logs | inputlookup append=t assets.csv | stats dc(host) AS count | where count < 2

the second one is untested, but will handle large amounts of events faster 😉

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...