Why is the Splunk Add-on for Blue Coat ProxySG una...

jhall0007 · ‎05-03-2016

It appears the BlueCoat TA is unable to ingest .gz files - even when it is zipped by the Blue Coat proxy itself. Attempting to ingest them actually causes the entire forwarder to crash. I've attempted this on a Linux 6.3 and then a 6.4 universal forwarder (I haven't tried it with a HF).

I've manually run gunzip on some of these files and the TA seems to ingest them without a problem.

In our environment, we bypassed the issue by ingesting the data with a basic app. We intended to use the transforms elsewhere at index/search-time, but found that the the initial Blue Coat headers were dropped causing the TA to lose its ability to dynamically parse the data correctly.

Is anyone else using this TA to ingest .gz files?

Thanks,

mreynov_splunk · ‎05-03-2016

sounds like you were using bluecoat:proxysg:access:file sourcetype to leverage INDEXED_EXTRACTIONS. is that correct?

if so, you can try to use sourcetype bluecoat:proxysg:access:syslog with the recommended log format configured (default bcereportermain_v1) on the bluecoat side: http://docs.splunk.com/Documentation/AddOns/latest/BlueCoatProxySG/Sourcetypes

Why is the Splunk Add-on for Blue Coat ProxySG unable to ingest .gz files and causes our Splunk 6.4 universal forwarder to crash?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk