Splunk Add-on for Blue Coat ProxySG: Why are field...

nychawk · ‎05-25-2016

I am collecting my blue coat logs into several syslog servers, and sending into Splunk with universal forwarders on each.

My proxy's are running the latest SGOS; I know there is a difference in several V6's.

My etc/local/inputs.conf on my UF's was not working at all when I had sourcetype = bluecoat:proxysg:access:file, so I tried using bluecoat:proxysg:access:syslog, and I began to immediately see data. The problem with my data is that I am not seeing the field extractions I expect to see. Did anyone have to create a local props.conf and/or transforms.conf? If so, can you post them here?

Also, what Splunk app should I use to create some canned reports? Is there one I should use, or I can alter to make work with this add-on?

Thank you in advance.

jcoates_splunk · ‎08-19-2016

nychawk · ‎09-06-2016

I should have updated this question to reflect my latest changes; prebuilt panels were already added.

What I am looking for is an app that properly searches my index; the latest version of the Bluecoat app does not seem to work.

Thank you.

dshpritz · ‎09-06-2016

This exists:

https://splunkbase.splunk.com/app/2624/

That said, it is not specifically for Bluecoat, but is for any CIM-compliant proxy data. It also uses Accelerated Data Models for the reporting, so that is something to be aware of (check the docs)

nychawk · ‎09-06-2016

Thank you David, I'll give this a go in the next 2-3 weeks; disk space is a commodity at the moment; hoping to get this installed before .conf 😉

Your user report is definitely one report I am looking for.

Splunk Add-on for Blue Coat ProxySG: Why are field extractions not working? Is there an app with prebuilt reports?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk