I am not getting any result for the Traffic Severity Panel on dashboard.
Looking at the search I have this
eventtype=css-wsa-squid http_result!="TCP_DENIED/407" | eval severity=cisco-wsa-score(x_wbrs_score)
| eval severity=if(X-ScanVerdict=1,"red",severity) | timechart count by severity | table _time,red,orange,yellow,blue,green
I noticed the http_result is not a field on the search (running version 3.1.2 Cisco Security Suite & 3.2.3 on Cisco WSA)
What I dont now is what the eval severity=cisco-wsa-score(x_wbrs_score)
does for me.
what is cisco-wsa-score?
Thanks in advance
@lamelendrez
Which Splunk app you are using for viz??
It seems cisco-wsa-score
is a macro. You will find the logic in macros.conf
in Splunk app.
https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Macrosconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles