I am not getting any result for the Traffic Severity Panel on dashboard.
Looking at the search I have this
eventtype=css-wsa-squid http_result!="TCP_DENIED/407" | eval severity=cisco-wsa-score(x_wbrs_score) | eval severity=if(X-ScanVerdict=1,"red",severity) | timechart count by severity | table _time,red,orange,yellow,blue,green
I noticed the http_result is not a field on the search (running version 3.1.2 Cisco Security Suite & 3.2.3 on Cisco WSA)
What I dont now is what the eval severity=cisco-wsa-score(x_wbrs_score) does for me.
what is cisco-wsa-score?
Thanks in advance
Which Splunk app you are using for viz??
It seems cisco-wsa-score is a macro. You will find the logic in macros.conf in Splunk app.