All Apps and Add-ons

Splunk Add-on for Blue Coat ProxySG: Why are field extractions not working? Is there an app with prebuilt reports?

nychawk
Communicator

I am collecting my blue coat logs into several syslog servers, and sending into Splunk with universal forwarders on each.

My proxy's are running the latest SGOS; I know there is a difference in several V6's.

My etc/local/inputs.conf on my UF's was not working at all when I had sourcetype = bluecoat:proxysg:access:file, so I tried using bluecoat:proxysg:access:syslog, and I began to immediately see data. The problem with my data is that I am not seeing the field extractions I expect to see. Did anyone have to create a local props.conf and/or transforms.conf? If so, can you post them here?

Also, what Splunk app should I use to create some canned reports? Is there one I should use, or I can alter to make work with this add-on?

Thank you in advance.

0 Karma

nychawk
Communicator

I should have updated this question to reflect my latest changes; prebuilt panels were already added.

What I am looking for is an app that properly searches my index; the latest version of the Bluecoat app does not seem to work.

Thank you.

0 Karma

dshpritz
SplunkTrust
SplunkTrust

This exists:

https://splunkbase.splunk.com/app/2624/

That said, it is not specifically for Bluecoat, but is for any CIM-compliant proxy data. It also uses Accelerated Data Models for the reporting, so that is something to be aware of (check the docs)

0 Karma

nychawk
Communicator

Thank you David, I'll give this a go in the next 2-3 weeks; disk space is a commodity at the moment; hoping to get this installed before .conf 😉

Your user report is definitely one report I am looking for.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...