Hi all. I am new to splunk and am using the cisco security suite to setup the ironport web logs. I am currently using UDP 514 and pushing the access.log from my web appliance to my splunk instance. Here are my files:
inputs.conf [udp://514] connection_host = ip sourcetype = syslog
props.conf [source::udp:514] TRANSFORMS-changesourcetype_cisco_wsa_squid = cisco_wsa_squid
transforms.conf [cisco_wsa_squid] REGEX = (ip_address_of_host) FORMAT = sourcetype::cisco_wsa_squid DEST_KEY = MetaData:Sourcetype DEFAULT_VALUE = iron_port
The data is loading and I can search bu cisco_wsa_squid and also by event type ironport_proxy but the dashboards will not load? What am I missing?
Thanks!