I am using Splunk for Blue Coat and I have determined what fields need to be and what order they are in but when I put the list into the transforms.conf file and run a search some fields are left off.
FIELDS = "date", "time", "time_taken", "c_ip", "src_user", "user_group", "x_exception_id", "filter_result", "category", "http_referrer", "sc_status", "http_method", "action", "http_content_type", "uri_scheme", "dest_host", "dest_port", "uri_path", "uri_query", "uri_extension", "http_user_agent", "dvc_ip", "cs_bytes", "sc_bytes", "x_virus_id", "x_bc_app_name", "x_bc_app_op"
The problems occur at sc_status . This field does not pull into search for some reason. When I try and add it to by selected fields it shows up in the selected field list but not in the available fields list. I thought their might be some issues with aliases bc this field had an alias in the props.conf file so I commented it out but that did not fix the issue. Does anyone know whats going on here? -Thanks in advance.
Sample Event - Each line correlates to a field:
2013-01-30
22:15:07
698
10.100.10.100
USER
-
-
OBSERVED
"Web Advertisements"
-
200
TCP_NC_MISS
GET
text/html;%20charset=UTF-8
http
googleads.g.doubleclick.net
80
/pagead/ads
?client=....Huge Long Query String...
www.kpdirection.com
-
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17"
101.111.11.10
515
1120
-
"none"
"none"
... View more