The default WSA "access logs" do not include the destination IP. To add this field to your access logs, you would need to add a %k on your WSA under System Administration, Log Subscriptions, (the logs your sending to Splunk), custom fields. I have added the following three variables to my custom fields to get user-agent, destination and WBRS threat reason into the logs.
%u %k %XK
cs(User-Agent) = %u = User agent. This field is written with double-quotes in the access log
s-ip = %k = Data source IP address (server IP address)
x-wbrs-threat-reason = %XK = Web reputation threat reason
... View more