We run a report every week that counts how many times a firewall policy was used. (A firewall policy is represented by a number)
What I would like to do is compare a master list of all the firewall policies that exist against policies that never show up in the logs. If a policy doesn't show up in the logs, then it obviously isn't being used.
Would I use a lookup for this? Would I set up the master list of policies somewhere, then somehow search the logs to see which ones are NOT in the logs? How would I go about achieving something like this?
Thanks!
I tweaked the search from another article and got it to work using this:
index="summary" policy_id=* | inputlookup append=t allfirewallpolicies | rename PolicyID as policy_id | stats count by policy_id | eval count=count-1 | sort count
Thanks!
I tweaked the search from another article and got it to work using this:
index="summary" policy_id=* | inputlookup append=t allfirewallpolicies | rename PolicyID as policy_id | stats count by policy_id | eval count=count-1 | sort count
Thanks!
You could store the entire list of firewall policies in a CSV file for example. Say one column for the policy_id, one for a human-readable name. You'd start off your query with inputlookup, then filter that against a subsearch that lists every firewall policy that was used. In pseudosplunk it might look something like this:
| inputlookup firewall_policies.csv | search NOT [subsearch that returns a list of firewall policies that have been used | return policy_id]
So I have the lookup uploaded and working, but I can't get the query to run correctly.
The simplest way would be to put it into $SPLUNK_HOME/etc/system/lookups, anything in there can be referenced by file name.
Alternatively, you can define an input table in props.conf and transforms.conf and reference that name. Consult the doc for that: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions
Thank you! Where do I place the csv file of the entire firewall policy list?