There is probably a better way to do this, but I am trying to catalog what rules are (and are not) used using the firewall log and a list of rules. I came up with this search, but it does not show me rules that are matched zero times (even though the left hand side is the rule list):
sourcetype=RULELIST | chart list(rule) | map search=search sourcetype=FW-LOG | stats count(rule) by rule
FW-LOG looks like this
date=11111 rule=2
date=11112 rule=3
date=11113 rule=3
date=11114 rule=4
RULELIST looks like this
rule=1,ruledesc=rule1
rule=2,ruledesc=this is rule2
rule=3,ruledesc=some other rule
rule=4,ruledesc=blah
What I expect to see is this:
rule count
1 0
2 1
3 2
4 1
But instead, I see this:
rule count
2 1
3 2
4 1
And I really want to know what rules are NOT getting used. Maybe there is an option to map? Any thoughts on this? TIA
... View more