Splunk® Supported Add-ons

Splunk Add-on for Cisco WSA

Download manual as PDF

Download topic as PDF

Field extractions for W3C formatted logs

If your data includes logs in W3C format, follow these additional steps to define how the Splunk platform should extract the fields.

  1. Check that your log fields match the W3C log format. If you added custom fields to the default log, or if you used a W3C log to fully customize your field list, check the following fields to make sure that the format is correct.
    Required format Description Log Field in W3C Logs Field name for extraction
    %t Timestamp in UNIX epoch (This gives you the date and time). timestamp timestamp
    %e Elapsed time (duration) x-elapsed-time x_elapsed_time
    %a Client IP Address c_ip src_ip
    %w/%h Result code and the HTTP response code, with a slash (/) in between sc-result-code/sc-http-status result_code
    %s Response size (header + body) sc-bytes bytes_in
    %2r %r is the Request first line which contains request method, URI, and HTTP version. %2r means it will show request method and uri if they are available. x-req-first-line http_method,url
    %A cs-username which is the Authenticated user name. cs-username user
    %H/%d The code that describes which server was contacted for the retrieving the request content. (e.g. DIRECT/www.example.com) s-hierarchy/s-hostname contact_mode
    %c Response body MIME type. cs-mime-type http_content_type
    %D ACL decision tag x-acltag x_acltag
    %Xr Result code x-result-code scan_verdict_info
    %?BLOCK_SUSPECT_ USER_AGENT, MONITOR_SUSPECT_ USER_AGENT?%<User-Agent:%!%-% Suspect user agent x-suspect-user-agent vendor_suspect_user_agent
    %q Request size (headers + body) cs-bytes bytes_out
  2. Provide a value for FIELDS in the form of a comma-separated list of each field in your log file, using the values in the "Field name for extraction" column in the table above. For example:
    [auto_kv_for_cisco_wsa_w3c]
    DELIMS = " "
    FIELDS = timestamp,x_elapsed_time,src_ip,result_code,bytes_in,http_method,url,user,contact_mode,http_content_type,x_acltag,scan_verdict_info,vendor_suspect_user_agent
    
    • FIELDS is a comma seperated list of each field that needs to be extracted from the event.
  3. (Optional)To change the order of FIELDS according to the format of your WSA W3C format logs, copy the [auto_kv_for_cisco_wsa_w3c] stanza from $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-wsa/default/transforms.conf to $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-wsa/local/transforms.conf and then modify the order in the value of FIELDS.
    • Chosen field names should be organized according to the name specified in the "Field name for extraction" column in the table above.
  4. Save the file.
  5. Restart the Splunk platform for the changes to take effect.
PREVIOUS
Configure inputs for the Splunk Add-on for Cisco WSA
  NEXT
Troubleshoot the Splunk Add-on for Cisco WSA

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters