I have Websense data coming in to my ES app and it reports fine but it does not correlate Websense defined category number with human readable names.
e.g. most common category #18... well that lovely but I need to be able to read that that is shopping.
I have the numbered list and how it correlates in a csv. How do I make ES use that information? Lookup table seems to be perhaps the correct route?
Check out websense documenation here for latest categories and lists. http://www.websense.com/content/support/library/web/v76/siem/siem.pdf
link text
Had same issue. This worked....
STEP 1:
Commented out these two (2) lines in
/opt/splunk/etc/apps/TA-websense/default/props.conf
#REPORT-1category_id_for_websense = category_id_for_websense
#FIELDALIAS-category_for_websense = category_id as category
STEP 2:
Added this local/props.conf file:
/opt/splunk/etc/apps/TA-websense/local/props.conf
[source::...websense]
sourcetype = websense
[websense]
SEDCMD-setcatid = s/category=/category_id=/g
LOOKUP-websense-categories-list = websense-categories-list WID AS category_id OUTPUTNEW Wcategory AS category
(NOTE: The columns in my CSV were "WID" and "Wcategory")