Splunk & Cisco Web Security Appliance (WSA) – BFF: „Dear IT-Admin: My Internet is so slow“


I recently met with Tobias Mayer, an engineer from EMEA with Cisco. He has a particular expertise in Websecurity Technology.  The Cisco Munich Data Center has a great Splunk deployment and Tobias works closely with organizations in EMEA to solve their daily problems.

One common claim from End-Users in IT is „Our internet is slow“….and then the troubleshooting begins…  wsa

There are various components within enterprise IT that could be the reason why: „the internet is slow“.

It could be:

  • The Proxy Server is running on max load (CPU, Memory, Concurrent Connections)
  • The network connection from the client to the proxy within the internal network is slow
  • The Active Directory / Authentication Service for the proxy response is slow
  • The DNS Server for the name resolution is slow
  • The threat intelligence / domain reputation validation service response is slow (Cisco Talos)
  • The bandwith of the ISP is slow
  • The website the user is trying to access is slow to respond

Troubleshooting all these different components is very time consuming.

Cisco’s Web Security Appliance allows customers to customize the access log to include the response times from each of the components that make up the internet-service for end-users. New data fields can be easily displayed on Splunk Dashboards for continuous monitoring or quick ad-hoc troubleshooting tasks.


Here you can see a 30 day chart about the average response and latency times of the DNS Server, the Reputation Service and how long it takes until the first byte is recieved from the internet (ISP Bandwith).


sourcetype=<yourwsa> | timechart avg(server_first_byte_wait), avg(dns_latency), avg(dns_latency), ….

This results in great operational insight, allows proactive monitoring and ensures investment is made into the right components to improve the overall service if required.


Further Ressources:

Checkout Tobias’ Blog

Cisco WSA User Guide – Kapitel 21, Page 375 and following explains all possible Variables for the custom log.  You might also look at Scan engine response times etc. – be creative!

Splunk Add-on for Cisco WSA on Splunkbase

Cisco Security Suite on Splunkbase


Happy Splunking,

Matthias Maier is Product Marketing Director at Splunk, as well as a technical evangelist in EMEA, responsible for communicating Splunk's go-to market strategy in the region. He works closely with customers to help them understand how machine data reveals new insights across application delivery, business analytics, IT operations, Internet of Things, and security and compliance. Matthias has a particular interest and expertise in security, and is the author of the Splunk App for IP Reputation. Previously, Matthias worked at TIBCO LogLogic and McAfee as a senior technical consultant. He is also a regular speaker at conferences on a range of enterprise technology topics.