The default WSA "access logs" do not include the destination IP. To add this field to your access logs, you would need to add a %k on your WSA under System Administration, Log Subscriptions, (the logs your sending to Splunk), custom fields. I have added the following three variables to my custom fields to get user-agent, destination and WBRS threat reason into the logs. %u %k %XK cs(User-Agent) = %u = User agent. This field is written with double-quotes in the access log s-ip = %k = Data source IP address (server IP address) x-wbrs-threat-reason = %XK = Web reputation threat reason ... View more