I have splunk using the local mod sec audit folder ( containing concurrent logs ) and I am able to search through the entries alright, but I am not seeing results or charts for any of the predefined stuff. I am using ModSec 2.7
Also there are literally thousands of sources ( and growing ) is this a bad thing?
i figured out the issue and was able to use waf-fle. Why do you think it's better? I can't drill down the reports to find all the paths requested. It would seem splunk has more sophisticated filters