As @richgalloway said, you cannot look for some that's not there
However, you can look for things that are some places and not others
You might do something like this on a periodic basis (of course, use whatever field names fit your environment):
index=ndx sourcetype=srctp hostname=* appname=*
| stats count by hostname
| fields - count
| outputlookup allendpointswithsoftware.csv
Now you have a list of all endpoints that have installed software of any kind.
Now get a list of all endpoints that have the AV software:
index=ndx sourcetype=srctp hostname=* appname="my-AV-name"
| stats count by hostname
| fields - count
| outputlookup allendpointswithavtools.csv
Then do a diff between them:
| inputlookup allendpointswithsoftware.csv
| search NOT
[ | inputlookup allendpointswithavtools.csv ]
This will give you all the hosts that weren't in the AV-is-installed list, but are known in Splunk
... View more