All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Bluecoat App

andiaye
Explorer
‎11-18-2013 06:57 AM

Hello,

I have installed Bluecaot proxySG app on my Splunk.

Related to the procedure below :

In Splunk, you will need to add a new TCP Data input. The app expects the source type to be bcoat_log. You may choose something different, but you will need to modify the app as well. Too add this input, log into Splunk and click on Manager. Under the Data section, click on "Data inputs". Then click on "Add new" for a TCP input. On this page, you can enter the port number, 20108 for example. You can optionally override the source name as well. Leave "Set sourcetype" as "From list", and choose bcoat_log from the dropdown list. Click on more settings, and set the index for this source to be bcoat_logs.

I configure my BC to send logs file to the splunk serve but the app dashboard display any result.

When I search whith index=bcoat_logs, I can see logs information. And a search with the sourcetype=bcoat_log, I have no results.

Do you an idea why it does not work ?

Thank you in advance.

0 Karma
Reply

kvatinelle
Engager
‎11-20-2013 02:09 AM

I am also in the same issue.

I followed the tips in this page. But I keep getting a blank page in "BlueCoat Traffic Overview".

Hopefully someone will have another idea ?

Best Regards

0 Karma
Reply

andiaye
Explorer
‎11-19-2013 02:46 AM

Thank you for your answer.
After editing, it change nothing for the results.

When I search with the index or with bcoat_request in the BC App Search Tab, I have see some logs with sourcetype="bcoat_proxysg" and source=bcoat.

But sourcetype="bcoat_proxysg" gives no results. I try this line (No results):
bcoat_request filter_result="DENIED" src_ip != "-" | top src_ip limit=10 countfield="Requests" | rename src_ip as "Client IP"

No Dashboard display.

Any idea ?

Thanks in advance.

0 Karma
Reply

andiaye
Explorer
‎11-19-2013 08:22 AM

I add the index bcoat_logs in Indexes searched by default.
By typing just the name the index display some result.

But it changes nothing for the App dashboard, i.e it does not work.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎11-19-2013 07:28 AM

Your list of default indexes searched (that is, if you don't explicitly say "index=...") is just "main" by default. Check out the roles (in the Manager under Access Controls) to see the "list of indexes searched by default".

(Or just type the name of the index in your searches....)

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎11-18-2013 08:11 AM

This app remaps incoming data from the "bcoat_logs" sourcetype to "bcoat_proxysg" (for matching events). When searching via the search bar, use the latter sourcetype. The app itself is keyed on the latter type, so your dashes should work just fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...