Hi, Try this add-on  for symantec Messaging gateway  https://splunkbase.splunk.com/app/5215/   ... View more

Would you mind if we continued this over e-mail? It appears this comment chain has gotten so long that replies are no longer displaying. cschmidt@hurricanelabs.com ... View more

hi, VPN events: jcoates-mba:Splunk_TA_cisco-asa jcoates$ pwd /Users/jcoates/Downloads/Splunk_TA_cisco-asa jcoates-mba:Splunk_TA_cisco-asa jcoates$ find . -name *.conf | xargs grep -in vpn ./default/props.conf:41:REPORT-vpn = cisco_fw_group, cisco_fw_user, cisco_fw_ip, cisco_fw_disconnect, cisco_fw_dap, cisco_fw_dap_2, cisco_fw_722 ./default/props.conf:42:REPORT-vpn-2 = cisco_fw_authentication_action, cisco_fw_session_type, cisco_fw_assigned_ip, cisco_fw_user-identity ./default/props.conf:126:REPORT-vpn = cisco_fw_group, cisco_fw_user, cisco_fw_ip, cisco_fw_disconnect, cisco_fw_dap, cisco_fw_dap_2, cisco_fw_722 ./default/props.conf:127:REPORT-vpn-2 = cisco_fw_authentication_action, cisco_fw_session_type, cisco_fw_assigned_ip, cisco_fw_user-identity ./default/transforms.conf:167:# VPN jcoates-mba:Splunk_TA_cisco-asa jcoates$ CIM is looking for tag=network tag=session tag=vpn (http://docs.splunk.com/Documentation/CIM/4.0.0/User/NetworkSessions) jcoates-mba:Splunk_TA_cisco-asa jcoates$ find . -name *.conf | xargs grep -in tag ./default/eventtypes.conf:3:#tags = authentication ./default/eventtypes.conf:7:#tags = network communicate ./default/eventtypes.conf:11:#tags = attack ids jcoates-mba:Splunk_TA_cisco-asa jcoates$ cat default/tags.conf [eventtype=cisco_connection] network = enabled communicate = enabled [eventtype=cisco_authentication] authentication = enabled [eventtype=cisco_intrusion] attack = enabled ids = enabled jcoates-mba:Splunk_TA_cisco-asa jcoates$ This looks like it doesn't have VPN support. Can we get some details on the logs? Feel free to contact me offline, I'd like to get some specific samples. ... View more

This still looks like it hasn't been fixed. 1.2 still has searches like these: index=box earliest = -30d|dedup event_id| stats count by ip_address| sort ip_address ... View more

I did a lot of editing of the follow-on comments, converting them from answers to comments. I then accepted the prevailing answer which does seem to be correct. P.S. folks, please try to only add a new "Answer" if it is answering the question at hand. Otherwise, just click in a comment box area to add a comment that's related either to the original question, or to one of the existing answers. That helps to keep the site clear of clutter and makes it easy for the next person to actually find the answer to their question. TIA ... View more