I have several instances of SplunkforBlueCoat and have recently run into a strange issue. Splunk cannot find the BlueCoat sourcetype. I haven't had this issue before and I've checked my props.conf & transforms.conf with correct ones and cannot find any differences. Can anyone point me in the right direction?
check the inputs.conf, this is where you specify which sourcetype to apply to which source.
I'm not seeing where in the inputs.conf the source type is defined.
should there be an inputs.conf in the default or local directories of Splunk for Blue Coat?