Not sure if anyone came across this. I just installed Splunk Add-on for Cisco WSA v 3.1.1.
Ironport WSA Log is indexed as sourcetype cisco:wsa:squid
However, in my search window I am not being able to see any of the fields that is suppose to be extracted by props.conf and transforms.conf of the TA. I am only seeing default fields such as host, source, sourcetype etc,
TA is installed in heavy forwarder, indexer and the search head.
This is what I did to fix the transform. The original did not take into account underscores in the status.
In field transform: kv_for_cisco_wsa_squid
ORG: 19 groups
([0-9.]) *[0-9] ([0-9.]) ([A-Z_])/([0-9]) ([0-9]) ([A-Z]) ([^ ]) "?([^ "])"? ([^/])/([^ ]) ([^ ]) ([^ ]+) <([^,]+),([^,]+),"([0-9]{0,2}|-|\w+)","([^"]+)",[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,"([^"]+)",[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,"([^"]+)",[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^>]+>\s*-\s*"?([^"]+)"?$
FIX: 19 groups
([0-9.]) *[0-9] ([0-9.]) ([A-Z_])/([0-9]) ([0-9]) ([A-Z]\S[A-Z]) ([^ ]) "?([^ "])"? ([^/])/([^ ]) ([^ ]) ([^ ]+) <([^,]+),([^,]+),"([0-9]{0,2}|-|\w+)","([^"]+)",[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,"([^"]+)",[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,"([^"]+)",[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^>]+>\s-\s*"?([0-9.]*).$
Also to get the specific data inbetween the < .... > I replaced: ,[^,]+ with ,([^,]+)
My fix - YMMV - 51 groups
([0-9.]) *[0-9] ([0-9.]) ([A-Z_])/([0-9]) ([0-9]) ([A-Z]\S[A-Z]) ([^ ]) "?([^ "])"? ([^/])/([^ ]) ([^ ]) ([^ ]+) <([^,]+),([^,]+),([^,]+),"([^"]+)",([^,]+),([^,]+),([^,]+),([^,]+),"([^"]+)",([^,]+),([^,]+),([^,]+),"([^"]+)",([^,]+),([^,]+),"([^"]+)","([^"]+)",([^,]+),([^,]+),([^,]+),([^,]+),"([^"]+)","([^"]+)","([^"]+)","([^"]+)","([^"]+)","([^"]+)",([^,]+),([^,]+),([^,]+),"([^"]+)","([^"]+)",([^,]+),"([^"]+)",([^,]+),([^,]+),"([^"]+)","([^"]+)">\s-\s*"?([0-9.]*).$
Lets give a try,
Hope it can help.
Tired that. It resulted one or two extracted fields and very strange other fields.
I logged a support call with Splunk and been advised its a bug. Reported as ADDON-2774. They provided me a new regex as a work around, but that did not work either.
I rolled back the apps to older version.
Hi, from witch app do you send your querry?
I tried both in search as well as TA for wsa apps (by making it visible). Both same result. It may potentially a bug in the apps.
Share the query you are using?
index=webproxy sourcetype=cisco:wsa:squid