All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to import data into Splunk from Websense Proxy version 7.5?

dimitris_vergos
Path Finder
‎10-29-2015 01:22 AM

Has anyone imported data into Splunk from Websense Proxy in version 7.5?

Unfortunately, you cannot send to SIEM via Syslog and need to grab the data from the SQL Database.

If anyone has done this, do you mind sharing the process.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

krish3
Contributor
‎10-29-2015 01:48 AM

Hi Dimitris,

You could try exporting logs to specific location from websense and pick it up using a forwarder.

Or

You could try to pull data from SQL database using DBconnect app. (Since it is a proxy it might not be a good idea to put additional load on database.)

Thanks,

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dimitris_vergos
Path Finder
‎03-12-2016 10:14 PM

If anyone else has the same question, this is the query that I used.

Note: Some additional field extractions may be necessary.

"SELECT TOP 100000
i.date_time as [date],
i.record_number as session_id,
i.source_server_ip_int as dvc,
i.source_ip_int as src,
i.destination_ip_int as dest,
i.full_url,
i.url,
i.port,
p.name as app,
pc.name as app_category,
i.bytes_sent as bytes_out,
i.bytes_received as bytes_in,
i.duration,
i.category as category_id,
CASE when c.parent_category=0 then c.name
ELSE c.child_name END as category,
u.user_login_info as [user],
i.hits,
d.description as action_description,
dp.name as ws_action

FROM (((((incoming i left join users u on i.user_id=u.user_id)
left join protocols p on i.protocol_id=p.id)
left join protocol_category pc on p.parent_id=pc.id)
left join category c on i.category=c.category)
left join disposition d on i.disposition_code=d.disposition_code)
left join disposition_parent dp on d.blocking=dp.disposition_parent_id"

Reply
Solved! Jump to solution
Solution

krish3
Contributor
‎10-29-2015 01:48 AM

Hi Dimitris,

You could try exporting logs to specific location from websense and pick it up using a forwarder.

Or

You could try to pull data from SQL database using DBconnect app. (Since it is a proxy it might not be a good idea to put additional load on database.)

Thanks,

0 Karma
Reply
Solved! Jump to solution

dimitris_vergos
Path Finder
‎10-29-2015 02:41 AM

I will proceed with DB connect, and pull in the data from there and monitor also to see the load that it will apply by pulling the data.

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...