Hi everyone,
I have a Splunk server receiving Cisco WSA data. I need to display in a table bandwidth by category, for example:
I don't see any field for this. Do I need something like NetFlow?
Does someone know how to do this?
I'll be very thankful for any help
sourcetype=cisco_wsa_squid
| eval bandwidth=sc_bytes/1024/1024
| stats sum(bandwidth) by x_webcat_code_full
| rename x_webcat_code_full as "Web Category", sum(bandwidth) as "Bandwidth (MB)"
Here is an example of making a bandwidth field for GB:
props.conf
See this documentation on using props.conf
sourcetype=cisco_wsa_squid
| eval bandwidth=sc_bytes/1024/1024
| stats sum(bandwidth) by x_webcat_code_full
| rename x_webcat_code_full as "Web Category", sum(bandwidth) as "Bandwidth (MB)"
Here is an example of making a bandwidth field for GB:
props.conf
See this documentation on using props.conf
That's the rigth answer, thanks you very much
Do you have an x_webcat_code_full field ? You may have a field for this data.
Have you seen this Splunk for Cisco WSA Add-on?
Yes, i have that field, and i've seen that Add-on, but I don't have some Bandwidth field for do a table like this