Copy your logs (SCP) from the WSA to an intermediate (syslog) server and then have Splunk pull from there. I primarily use the access_log as it contains the most relevant data, and this is what the Splunk Cisco App is expecting I believe. You can do your log management on the syslog server if there's a logfile size concern.