All Apps and Add-ons

BlueCoat Cacheflow with splunk 6.2

Buhl3r
New Member

Hello All,

I started by installing the bluecoat app for splunk, to find out that is not compatible with Splunk 6.2.
Also, I noticed that most of the searches are from proxy_sg that I don't need becuase I dont have a proxysg.

I pretend develop a Dashboard for the most important information that we can get from bluecoat logs.

I'm trying to understand what's searches to include. Anyone have any searches that can be applied to the Bluecoat Cacheflow? Like user with more hits, most cached sites, etc.

Below is an example of the file:

Software: CacheFlow 3.4.2.2

Version: 1.0

Start-Date: 2015-10-22 11:49:11

Date: 2015-09-30 22:52:05

Fields: date time c-ip time-taken sc-status sc-bytes cs-bytes rs-bytes sr-bytes s-action cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) cs-ip cs-categories c-uri x-exception-id rs(Content-Type)

Remark: 4612230005 "CF01-BC-LAD-CT-FILDA" "10.35.87.34" "main"

2015-10-22 11:49:11 10.114.172.124 11 200 8040 599 0 0 TCP_HIT GET http mt0.googleapis.com 80 /vt ?pb=!1m5!1m4!1i13!2i4400!3i4300!4i256!2m3!1e0!2sm!3i325000000!3m9!2spt-PT!3sUS!5e18!12m1!1e50!12m3!1e37!2m1!1ssmartmaps!4e0!5m1!5f2 - "Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13A452 Safari/601.1" 195.8.11.50 "none" http://mt0.googleapis.com/vt?pb=!1m5!1m4!1i13!2i4400!3i4300!4i256!2m3!1e0!2sm!3i325000000!3m9!2spt-P... - image/png
2015-10-22 11:49:11 10.114.202.235 4177 200 292 491 292 491 TCP_NC_MISS POST http api.gifshow.com 80 /rest/n/system/speed ?did=7D42619E-4F4F-4F88-8278-54E5C7793CFD&mod=iPhone7,2&sys=ios8.3&net=%E4%B8%AD%E5%9B%BD%E7%A7%BB%E5%8A%A85&c=a&ver=4.73 - "kwai-ios" 180.186.38.200 "none" http://api.gifshow.com/rest/n/system/speed?did=7D42619E-4F4F-4F88-8278-54E5C7793CFD&mod=iPhone7,2&sy... - application/json;charset=UTF-8
2015-10-22 11:49:11 10.115.180.166 30005 503 915 3028 0 0 TCP_ERR_MISS POST http statsfe2.update.microsoft.com 80 /ReportingWebService/ReportingWebService.asmx - asmx "Windows-Update-Agent/7.9.9600.18066 Client-Protocol/1.21" 65.52.108.153 "none" http://statsfe2.update.microsoft.com/ReportingWebService/ReportingWebService.asmx tcp_error -

All help is welcome. Thanks.
Buhl3r

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

This format matches the proxySG logging format. You can try this TA: https://splunkbase.splunk.com/app/2758/

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...