Splunk Version: v6.2.2
Add-On: Cisco Web Security Advanced Reporting 4.5.0
I have configured the WSA Add-on for Access, TrafMon, and AMP logs to be sent to the WSA. If I check the directories where these logs are being FTP'ed from the WSA, I can see tons of files in all 3 of them.
However, when I navigate to the Advanced Malware Dashboards (all of them), they all show no results in each section of every AMP dashboard.
Any idea why this is happening? Our license covers: wsa_trafmonlogs, wsa_accesslogs, wsa_w3clogs, wsa_syslog, wsa_amplogs, ciscocws
Any help would be appreciated!
Thanks in Advance,
Splunk Add-on for WSA is Splunk supported and you can expect that it will help you get the data into indexes for reporting. You'll be able to use its prebuilt panels and you'll be able to build your own reports and alerts.
I don't know what all the rest of this is about? I'm guessing Cisco Security Suite?
jcoates, thanks for the reply.
The issue was that the AMP dashboards were showing as empty for the 29th, 30th and 1st (end of Sept and start of Oct), even though there was data coming into Splunk server. But, the 28th WAS showing data in the AMP Dashboards for the Cisco Ironport WSA Add-On.
But, I have been working with Cisco TAC on this so I think we have it covered.
Now, I just returned back to Splunk after a few hours and I logged-in and went to the Cisco WSA add-on page.The "Overview" page that is displayed as the default page when going to that app is now empty as well. All the data in the directories where the logs are stored are all still there... Every dashboard I now go to is empty??? What could be happening here...?
UPDATE: I still see nothing when going to the Cisco WSA Reporting Add-on's Overview page. But, if I change the time-interval dropdown box to
"90 Days" and I leave the Data Source dropdown to
"All" and the Host dropdown to
"*[all hosts]" I can at least get some data for the WSA Overview page. But, when initially going to the Overview page with the default options, I get "No results found" in all of the graph/data boxes... Also, if I set the time-range to
"Week" and leave the others the same, it's only showing data in the Sept 28th columns, however the directories contain log files from the WSA for all days including today... What's the deal here?
ANOTHER UPDATE: I'm getting the feeling there is something going on with the recent data/log files in the log directories... Even though the files are there for the 28th, 29th and 30th it is not showing the data for anything other then the 28th... If I change the end of the URL of the Overview page from
?earliest=-72h&latest=now&form.host=* it shows data for only the 28th...
I just re-edited your post to include the official tag for the Splunk Add-on for Cisco WSA so the right people should be notified to help you out. Unfortunately, I'm not the developer or an expert on troubleshooting this particular issue, but hopefully this will help get your issue seen by the right folks. Good luck!
Just to clarify for other users, but are you referring to the Splunk Add-on for Cisco WSA in your post? https://splunkbase.splunk.com/app/1747/
It wasn't tagged, so wanted to make sure it is if that is what you're referring to for better visibility of your question. You explicitly stated another add-on, but that's not an add-on from Splunkbase.