All Apps and Add-ons

BlueCoat Cacheflow with splunk 6.2

Buhl3r
New Member

Hello All,

I started by installing the bluecoat app for splunk, to find out that is not compatible with Splunk 6.2.
Also, I noticed that most of the searches are from proxy_sg that I don't need becuase I dont have a proxysg.

I pretend develop a Dashboard for the most important information that we can get from bluecoat logs.

I'm trying to understand what's searches to include. Anyone have any searches that can be applied to the Bluecoat Cacheflow? Like user with more hits, most cached sites, etc.

Below is an example of the file:

Software: CacheFlow 3.4.2.2

Version: 1.0

Start-Date: 2015-10-22 11:49:11

Date: 2015-09-30 22:52:05

Fields: date time c-ip time-taken sc-status sc-bytes cs-bytes rs-bytes sr-bytes s-action cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) cs-ip cs-categories c-uri x-exception-id rs(Content-Type)

Remark: 4612230005 "CF01-BC-LAD-CT-FILDA" "10.35.87.34" "main"

2015-10-22 11:49:11 10.114.172.124 11 200 8040 599 0 0 TCP_HIT GET http mt0.googleapis.com 80 /vt ?pb=!1m5!1m4!1i13!2i4400!3i4300!4i256!2m3!1e0!2sm!3i325000000!3m9!2spt-PT!3sUS!5e18!12m1!1e50!12m3!1e37!2m1!1ssmartmaps!4e0!5m1!5f2 - "Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13A452 Safari/601.1" 195.8.11.50 "none" http://mt0.googleapis.com/vt?pb=!1m5!1m4!1i13!2i4400!3i4300!4i256!2m3!1e0!2sm!3i325000000!3m9!2spt-P... - image/png
2015-10-22 11:49:11 10.114.202.235 4177 200 292 491 292 491 TCP_NC_MISS POST http api.gifshow.com 80 /rest/n/system/speed ?did=7D42619E-4F4F-4F88-8278-54E5C7793CFD&mod=iPhone7,2&sys=ios8.3&net=%E4%B8%AD%E5%9B%BD%E7%A7%BB%E5%8A%A85&c=a&ver=4.73 - "kwai-ios" 180.186.38.200 "none" http://api.gifshow.com/rest/n/system/speed?did=7D42619E-4F4F-4F88-8278-54E5C7793CFD&mod=iPhone7,2&sy... - application/json;charset=UTF-8
2015-10-22 11:49:11 10.115.180.166 30005 503 915 3028 0 0 TCP_ERR_MISS POST http statsfe2.update.microsoft.com 80 /ReportingWebService/ReportingWebService.asmx - asmx "Windows-Update-Agent/7.9.9600.18066 Client-Protocol/1.21" 65.52.108.153 "none" http://statsfe2.update.microsoft.com/ReportingWebService/ReportingWebService.asmx tcp_error -

All help is welcome. Thanks.
Buhl3r

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

This format matches the proxySG logging format. You can try this TA: https://splunkbase.splunk.com/app/2758/

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...