- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidmonaghan
Explorer
01-17-2018
06:19 AM
Hi All
I am looking for for some troubleshooting pointers for the following issue:
- I have Splunk Enterprise Security installed and I am currently configuring it.
- Receiving logs from cisco:wsa:squid
- Splunk ES does not recognize the tags for the Web Data Model
- The following searches run successfully outside of the Splunk ES App | datamodel Web Web search or (
cim_Web_indexes) (tag=web tag=proxy) - The same searches fail inside the Splunk ES app
- All TAs have been added with global permissions
- The Data model has had it's constraints set (
cim_Web_indexes) (tag=web)
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidmonaghan
Explorer
01-17-2018
07:32 AM
I believe I have discovered a solution to this problem.
Under Settings -> Event Types -> Splunk Add-on for Cisco WSA
The tag was not set for the cisco:wsa:squid event-type
Once this was changed and the Web Data Model was rebuilt, events began to populate in Cisco ES
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidmonaghan
Explorer
01-17-2018
07:32 AM
I believe I have discovered a solution to this problem.
Under Settings -> Event Types -> Splunk Add-on for Cisco WSA
The tag was not set for the cisco:wsa:squid event-type
Once this was changed and the Web Data Model was rebuilt, events began to populate in Cisco ES
