Splunk Enterprise Security

How can I display hosts which do not have AntiVirus installed but require it in Splunk Enterprise Security?



Might just be lack of caffeine here. But I can't quite get this subsearch working.

I have my assets.csv setup for Splunk Enterprise Security (ES) -

I can see hosts checking in with with malware logs with

How can I made a dashboard that basically says
"If AV (AntiVirus) is required, and no AV logs are found, list hosts in a table"

Something like

|inputlookup assets.csv | [my subsearch] | table myhosts...
0 Karma


Hi daniel333,

something like this should get you started:

  | inputlookup assets.csv | search NOT [  search the search to return AV logs | dedup host | fields host ]

You could also use inputlookup append=t and stats to count the host

  search to get the av logs | inputlookup append=t assets.csv | stats dc(host) AS count | where count < 2

the second one is untested, but will handle large amounts of events faster 😉

Hope this helps ...

cheers, MuS

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!