We have few customer being in transition over to Splunk, Please let me know if you have ANY specific questions.
Cisco has developed, sells and directly supports a Advanced Reporting for WSA Application for Splunk.
Not only does the application properly extract the various fields in both access and trafmonlogs, but also directly emulates the functionality of on-box reporting while still allowing for additional Splunk searches.
Do you have any proper document for doing this. I downloaded the WSA from cisco and added in the splunk. But its not fetching the information from the ironport. Maybe i missed one or two steps. If you have any documents , please share it. it will be very helpful.
Thanks & Regards
There are Install, User and Troubleshooting Guides posted to the Cisco Support portal. The "Install Guide" steps one through the process of importing logs, first time set-up, etc.
The "Troubleshooting Guide" will help diagnose any problems you may be having. In short, I would insure that the data is being properly indexed (search "*" in the logs and make sure fields are properly extracted, eg. acl_tag).
Next, with the fields being properly extracted, you may need a one-time run of the summary script if you have imported historical logs.
All of this is documented in the guides.