I am trying to run the searches that come with the Ironport Web Security portion of Cisco Security for Splunk, and nothing come up. The logs are being indexed because I can search on eventtype="ironport_proxy", but the prepackaged searches do not impart data. Has anyone had any experience with this? Cheers.
What index is the data going in to? I noticed I had to have mine in the "cisco_wsa" index for it to work.