hi
i am trying to create a data input for my ironport wsa security appliance.
my log files are in the squid format.
i don't seem to have a sourcetype for squid do i need to create this?
thanks
gary
Did you use the Splunk for Cisco Ironport Web Security Appliance? Here is the link for the free download. It will have the data extractions, reports and dashboards for you and then you can configure from there to meet your exact needs.
http://splunk-base.splunk.com/apps/22302/splunk-for-cisco-ironport-web-security-appliance
Check this on the twiki for details on squid format specifically.
http://wiki.splunk.com/Set_up_Splunk_for_Cisco_IronPort_Web_Security_Appliance
Thanks Dude, that worked a treat!
You can skip the data preview and set the sourcetype manually. Hit the 'More settings'check box, change the dropdown to manual and put in the cisco_wsa_squid sourcetype.
hi
thanks for your reply
i have downloaded the app but when i go to create my data source it's not recognizing the log format.
when i go to apply an existing sourcetype, the cisco_wsa_squid sourcetype is not in the list.
if i go to create a new sourcetype and save as cisco_wsa_squid it says the sourcetype already exists.
gary