Upgrade the Splunk Add-on for Cisco WSA
Upgrade from 3.2.4 to 3.3.0
Added extraction of "cs-bytes" field in w3c and squid logs
Starting from version 3.3.0, the Splunk Add-on for Cisco WSA expects the optional field
bytes_out to be the last field in the access logs. If you are extracting this field, modify your access logs in Cisco WSA as shown in the Customize field extractions for access logs.
Modified column names in lookup files
In version 3.3.0, the column names of below lookup files are modified to resolve conflicts in field extractions with other apps or add-ons.
|Name of the modified lookup file||Changed field(s)|
|cisco_wsa_proxy_action_lookup.csv|| Renamed "action" to "ta_cisco_wsa_proxy_action"|
Added a field alias to extract "action"
|cisco_wsa_traffic_action_lookup.csv|| Renamed "action" to "ta_cisco_wsa_traffic_action" and added a FIELDALIAS to extract "action"|
Renamed "vendor_action" to "ta_cisco_wsa_traffic_vendor_action" and added a FIELDALIAS to extract "vendor_action"
The action and vendor_action columns in the lookup will be deprecated in future releases. If you are using the lookup directly in your apps or field extractions, change the input or output field names.
Remove sample files
After upgrading the Splunk Add-on for Cisco WSA, manually remove the following sample files from
Install the Splunk Add-on for Cisco WSA
Configure inputs for the Splunk Add-on for Cisco WSA
This documentation applies to the following versions of Splunk® Supported Add-ons: released