Splunk Search

How to display a table with bandwidth by category for Cisco WSA data?

rubeniturrieta
Communicator

Hi everyone,

I have a Splunk server receiving Cisco WSA data. I need to display in a table bandwidth by category, for example:

  1. Social Networking, 52 GB
  2. News, 45 GB
  3. Shopping, 5 GB

I don't see any field for this. Do I need something like NetFlow?

Does someone know how to do this?

I'll be very thankful for any help

Tags (4)
0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

What you need is an evaluated field.

sourcetype=cisco_wsa_squid 
| eval bandwidth=sc_bytes/1024/1024 
| stats sum(bandwidth) by x_webcat_code_full
| rename x_webcat_code_full as "Web Category", sum(bandwidth) as "Bandwidth (MB)"

You can make this into a calculated field (automatic) as well. From the Web GUI, go to:

  1. Settings > Fields
  2. Calculated Fields
  3. New

Here is an example of making a bandwidth field for GB:
alt text

You can also do this with props.conf

See this documentation on using props.conf

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

What you need is an evaluated field.

sourcetype=cisco_wsa_squid 
| eval bandwidth=sc_bytes/1024/1024 
| stats sum(bandwidth) by x_webcat_code_full
| rename x_webcat_code_full as "Web Category", sum(bandwidth) as "Bandwidth (MB)"

You can make this into a calculated field (automatic) as well. From the Web GUI, go to:

  1. Settings > Fields
  2. Calculated Fields
  3. New

Here is an example of making a bandwidth field for GB:
alt text

You can also do this with props.conf

See this documentation on using props.conf

rubeniturrieta
Communicator

That's the rigth answer, thanks you very much

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Do you have an x_webcat_code_full field ? You may have a field for this data.
Have you seen this Splunk for Cisco WSA Add-on?

0 Karma

rubeniturrieta
Communicator

Yes, i have that field, and i've seen that Add-on, but I don't have some Bandwidth field for do a table like this

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...