Splunk Enterprise Security
Highlighted

How can I display hosts which do not have AntiVirus installed but require it in Splunk Enterprise Security?

Builder

All,

Might just be lack of caffeine here. But I can't quite get this subsearch working.

I have my assets.csv setup for Splunk Enterprise Security (ES) -
destrequiresav=True

I can see hosts checking in with with malware logs with
tag=malware

How can I made a dashboard that basically says
"If AV (AntiVirus) is required, and no AV logs are found, list hosts in a table"

Something like

|inputlookup assets.csv | [my subsearch] | table myhosts...
0 Karma
Highlighted

Re: How can I display hosts which do not have AntiVirus installed but require it in Splunk Enterprise Security?

SplunkTrust
SplunkTrust

Hi daniel333,

something like this should get you started:

  | inputlookup assets.csv | search NOT [  search the search to return AV logs | dedup host | fields host ]

You could also use inputlookup append=t and stats to count the host

  search to get the av logs | inputlookup append=t assets.csv | stats dc(host) AS count | where count < 2

the second one is untested, but will handle large amounts of events faster 😉

Hope this helps ...

cheers, MuS

0 Karma