All Apps and Add-ons

Why are AMP dashboards empty after configuring the Splunk Add-on for Cisco WSA on Splunk 6.2.2?

mmartin0926
New Member

Hello All,

Splunk Version: v6.2.2
Add-On: Cisco Web Security Advanced Reporting 4.5.0

I have configured the WSA Add-on for Access, TrafMon, and AMP logs to be sent to the WSA. If I check the directories where these logs are being FTP'ed from the WSA, I can see tons of files in all 3 of them.

However, when I navigate to the Advanced Malware Dashboards (all of them), they all show no results in each section of every AMP dashboard.

Any idea why this is happening? Our license covers: wsa_trafmonlogs, wsa_accesslogs, wsa_w3clogs, wsa_syslog, wsa_amplogs, ciscocws

Any help would be appreciated!

Thanks in Advance,
Matt

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Splunk Add-on for WSA is Splunk supported and you can expect that it will help you get the data into indexes for reporting. You'll be able to use its prebuilt panels and you'll be able to build your own reports and alerts.

I don't know what all the rest of this is about? I'm guessing Cisco Security Suite?

0 Karma

mmartin0926
New Member

jcoates, thanks for the reply.

The issue was that the AMP dashboards were showing as empty for the 29th, 30th and 1st (end of Sept and start of Oct), even though there was data coming into Splunk server. But, the 28th WAS showing data in the AMP Dashboards for the Cisco Ironport WSA Add-On.

But, I have been working with Cisco TAC on this so I think we have it covered.

Thanks Again,
Matt

0 Karma

mmartin0926
New Member

Now, I just returned back to Splunk after a few hours and I logged-in and went to the Cisco WSA add-on page.The "Overview" page that is displayed as the default page when going to that app is now empty as well. All the data in the directories where the logs are stored are all still there... Every dashboard I now go to is empty??? What could be happening here...?

0 Karma

mmartin0926
New Member

UPDATE: I still see nothing when going to the Cisco WSA Reporting Add-on's Overview page. But, if I change the time-interval dropdown box to "90 Days" and I leave the Data Source dropdown to "All" and the Host dropdown to "*[all hosts]" I can at least get some data for the WSA Overview page. But, when initially going to the Overview page with the default options, I get "No results found" in all of the graph/data boxes... Also, if I set the time-range to "Week" and leave the others the same, it's only showing data in the Sept 28th columns, however the directories contain log files from the WSA for all days including today... What's the deal here?

0 Karma

mmartin0926
New Member

ANOTHER UPDATE: I'm getting the feeling there is something going on with the recent data/log files in the log directories... Even though the files are there for the 28th, 29th and 30th it is not showing the data for anything other then the 28th... If I change the end of the URL of the Overview page from ?earliest=-24h&latest=now&form.host=* to ?earliest=-72h&latest=now&form.host=* it shows data for only the 28th...

0 Karma

ppablo
Retired

Hi @mmartin0926

I just re-edited your post to include the official tag for the Splunk Add-on for Cisco WSA so the right people should be notified to help you out. Unfortunately, I'm not the developer or an expert on troubleshooting this particular issue, but hopefully this will help get your issue seen by the right folks. Good luck!

Patrick

0 Karma

ppablo
Retired

Hi @mmartin0926

Just to clarify for other users, but are you referring to the Splunk Add-on for Cisco WSA in your post? https://splunkbase.splunk.com/app/1747/

It wasn't tagged, so wanted to make sure it is if that is what you're referring to for better visibility of your question. You explicitly stated another add-on, but that's not an add-on from Splunkbase.

0 Karma

mmartin0926
New Member

Thanks for updating that for me.

0 Karma

mmartin0926
New Member

I'm not positive if that's what it is considered, but it's listed under Splunk's Apps. The license we have is for "Cisco IronPort WSA"...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...