I have tried to get the list of endpoints and servers which are not updated with the latest AV DAT versions in the network, however, seems no luck after executing the query. We are using SEP as an AV, in order to get this as a pie or dashboard. But we are receiving normal logs from this server.
See some ideas here: http://answers.splunk.com/answers/92618/symantec-endpoint-version.html
Please provide some sample log entries and the query you've tried.