Solved: Splunk ES - Toubleshooting the Web Data Model

davidmonaghan · ‎01-17-2018

Hi All

I am looking for for some troubleshooting pointers for the following issue:

I have Splunk Enterprise Security installed and I am currently configuring it.
Receiving logs from cisco:wsa:squid
Splunk ES does not recognize the tags for the Web Data Model
The following searches run successfully outside of the Splunk ES App | datamodel Web Web search or (cim_Web_indexes) (tag=web tag=proxy)
The same searches fail inside the Splunk ES app
All TAs have been added with global permissions
The Data model has had it's constraints set (cim_Web_indexes) (tag=web)

Thanks

davidmonaghan · ‎01-17-2018

I believe I have discovered a solution to this problem.

Under Settings -> Event Types -> Splunk Add-on for Cisco WSA

The tag was not set for the cisco:wsa:squid event-type

Once this was changed and the Web Data Model was rebuilt, events began to populate in Cisco ES

davidmonaghan · ‎01-17-2018

I believe I have discovered a solution to this problem.

Under Settings -> Event Types -> Splunk Add-on for Cisco WSA

The tag was not set for the cisco:wsa:squid event-type

Once this was changed and the Web Data Model was rebuilt, events began to populate in Cisco ES

Splunk ES - Toubleshooting the Web Data Model