I am collecting Cisco IronPort WSA events on Splunk 6.
The events got indexed at Splunk, and can be visualized via Search App.
However I am able not to visualize any data using from the Cisco Security Suite (http://apps.splunk.com/app/525/ in conjunction with the Splunk_TA_cisco-wsa).
We have been trying different índex and sourcetype configurations but they don’t seem to be working.
Have you any of one of you have found similar problems in the past? Any standard índex and sourcetype specification recommended?
Do you get results using the following search?
Also, did you copy the SA-cisco-wsa folder to $SPLUNK_HOME/etc/apps ?