Hi,
I have about 100 rules and I want to count the number of logs are related to each rule.
When I used "stats count" it counted those rules that have 1 or more logs, but didn't show all the rules with zero hits.
I tried to import csv file that contains all the rules and to remove the rows that contains rules with 1 or more hits.
Moreover, I tried the suggestion here with no luck:
Solved: Using Splunk to Find Unused Firewall Policies - Splunk Community
Any suggestion?
Thanks 🙂
Hi @joock3r,
you have to put the firewall rules in a lookup (called e.g. firewall_rules.csv) containing at least one field (called rule).
In the firewall events you extracted a field called rule whose contents should match the lookup.
In this case, you could run this search to identify the not used ones.
index=your_index rule=*
| eval rule=lower(rule)
| stats count BY rule
| append [ | inputlookup firewall_rules.csv | eval rule=lower(rule), count=0 | fields rule count ]
| stats sum(count) AS total BY rule
| where total=0
In this way you'll have the missing rules.
Ciao.
Giuseppe
Hi @joock3r,
you have to put the firewall rules in a lookup (called e.g. firewall_rules.csv) containing at least one field (called rule).
In the firewall events you extracted a field called rule whose contents should match the lookup.
In this case, you could run this search to identify the not used ones.
index=your_index rule=*
| eval rule=lower(rule)
| stats count BY rule
| append [ | inputlookup firewall_rules.csv | eval rule=lower(rule), count=0 | fields rule count ]
| stats sum(count) AS total BY rule
| where total=0
In this way you'll have the missing rules.
Ciao.
Giuseppe
Works like a charm. Thanks!
Hi @joock3r,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉