Re: can splunk generate report based on destinatio...

bijin · ‎12-01-2011

can splunk generate report based on destination ip address in ironport WSA reporting?

imarks004 · ‎12-08-2011

The default WSA "access logs" do not include the destination IP. To add this field to your access logs, you would need to add a %k on your WSA under System Administration, Log Subscriptions, (the logs your sending to Splunk), custom fields. I have added the following three variables to my custom fields to get user-agent, destination and WBRS threat reason into the logs.

%u %k %XK

cs(User-Agent) = %u = User agent. This field is written with double-quotes in the access log
s-ip = %k = Data source IP address (server IP address)
x-wbrs-threat-reason = %XK = Web reputation threat reason

gekoner · ‎12-01-2011

The simple answer - Yes!
Now to the details. You will have to get the logs indexed into a Splunk index obviously. I would think sysylog would be the most efficient way.
What I'd recommend is you build a dashboard with a chart or table based on values (the destination ip address) in this situation.
Then you can graph and view the range based upon your needs. If you need to export this then you can just use the Export functionality to get yourself a document with the output you are looking for.

can splunk generate report based on destination ip address in ironport WSA reporting

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation