Hello,

I am assuming that you are using Cisco Security Suite 3.1.1 and WSA TA 3.2.1. As part of recent changes in WSA TA 3.2.1, the lookup 'cisco_wsa_proxy_action_lookup' has changed some field names. Cisco Security Suite app has to be updated to be compatible with these changes. The next version of Cisco Security Suite will take care of it but for now, could you please try following changes in your local setup and see if it resolves this issue.

• Remove 'cisco_wsa_proxy_action_lookup.csv' from /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/lookups.
• Remove following line from /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/props.conf

LOOKUP-proxy_action = cisco_wsa_proxy_action_lookup vendor_action OUTPUT action AS proxy_action

• Remove following lines from /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/transforms.conf

[cisco_wsa_proxy_action_lookup]
filename = cisco_wsa_proxy_action_lookup.csv

• Restart Splunk

There is one more change in WSA TA 3.2.1 which may affect WSA Dashboards in Cisco Security Suite. All eventtypes have changed to use '_' instead of '-', so you may have to change 'cisco-wsa-squid' to 'cisco_wsa_squid' and 'cisco-wsa-w3c' to 'cisco_wsa_w3c' in all searches in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf.

Let me know if you need further help.