Forums: SplunkGeneral: Cisco Ironport Web

I'm having a hard time getting the ironport web data to fill in correctly. I'm very new to splunk so i'm sure thats some of my problem. I have a script that pulls the current access log every half hour or so and then drops it in a directory on my splunk machine. I then added a data import for files and directories and pointed it to this same directory. I know that the ironport app says to make sure the source is set to cisco_wsa. I don't seem to have that in my list of source types. Is there something else I need to download or setup to get that source type to appear for me? Also if anyone has any experience in setting up the ironport web to work with splunk I wouldn't mind hearing any ideas that you might have as well. Thanks in Advance.

Joe

Hello,
You will need to set this sourcetype manually as its not part of the default sourcetype drop downs, though I agree the app should provide this as an option. Please try a manual setting in the UI or directly in the conf file and let us know if it is working for you.

I get object error's when I try to manually import the Cisco Ironport logs.

Hi John,
We posted some updated documentation here:

http://answers.splunk.com/questions/3362/how-do-i-install-and-configure-the-splunk-for-ironport-web-app-on-splunkbase

If you are still having issues let me know and we can set up a webex to review your deployment.