Ironport web appliance data source

fanningg · ‎05-11-2012

hi
i am trying to create a data input for my ironport wsa security appliance.
my log files are in the squid format.
i don't seem to have a sourcetype for squid do i need to create this?
thanks
gary

sdaniels · ‎05-11-2012

Did you use the Splunk for Cisco Ironport Web Security Appliance? Here is the link for the free download. It will have the data extractions, reports and dashboards for you and then you can configure from there to meet your exact needs.

http://splunk-base.splunk.com/apps/22302/splunk-for-cisco-ironport-web-security-appliance

Check this on the twiki for details on squid format specifically.

http://wiki.splunk.com/Set_up_Splunk_for_Cisco_IronPort_Web_Security_Appliance

fanningg · ‎05-11-2012

Thanks Dude, that worked a treat!

sdaniels · ‎05-11-2012

You can skip the data preview and set the sourcetype manually. Hit the 'More settings'check box, change the dropdown to manual and put in the cisco_wsa_squid sourcetype.

fanningg · ‎05-11-2012

hi
thanks for your reply
i have downloaded the app but when i go to create my data source it's not recognizing the log format.
when i go to apply an existing sourcetype, the cisco_wsa_squid sourcetype is not in the list.
if i go to create a new sourcetype and save as cisco_wsa_squid it says the sourcetype already exists.
gary

Ironport web appliance data source

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk