Just to follow up, it looks like this app is expecting a different kind of syslog messages than what a 9800 WLC sends. There are no file or file_name fields to identify the product as WLC. Since I have only one WLC, I added a stanza in the props.conf file found in apps\TA_cisco_catalyst\default: [host::<IP of WLC>] EVAL-product = "WLC" It worked and I can sort by product now. The Wireless dashboard in the app is still blank with 'no results found' has it's looking for fields that probably don't exist on a 9800. I was able to get results in the 'Events with MAC addresses' section by editing the regex to match the actual MAC address format (xxxx.xxxx.xxxx instead of xx:xx:xx:xx:xx:xx). ... View more

The Data Summary only shows the data in the indexes that you search by "default". You have permissions to access the ecb and network indexes but they are not listed as a "default" index for you. You can change this by editing the Access Controls in the Splunk Manager. ... View more

For the sake of completion, here is what I ended up using: index=eaccess Card_Name="John*" | rename _time as Date/Time | fieldformat Date/Time = strftime('Date/Time',"%m/%d/%y %I:%M:%S %p") | table Date/Time, Location | sort Date/Time If the sort command is left out, clicking on the table header won't change the sorting order. ... View more