This search is working for me, I've validated the output and it's accurate. I can change "-30d" to whatever time frame the search should alert on.
ex. "-7d" = displays rules that haven't fired in the last 7 days, but have before that
I've set my time range to "All Time."
I'm open for comments on making this more efficient
sourcetype="my_source" fwrule="*"
| stats latest(_time) as Time by fwrule
| where relative_time(now(), "-30d") > Time
| eval Last_seen=strftime(Time, "%m/%d/%y %H:%M:%S")
| fields - Time
| sort - Last_seen
... View more