I had the same problem for bluecoat:proxysg:access:syslog. It's because Splunk Add-on for Blue Coat ProxySG Version 3.5.0 does not catch up with SGOS 6.7.
I'm not sure but found two issues for Add-on:
Regular expression error for cs-categories: "Technology/Internet;Web Ads/Analytics" was splited into "Tech....Web" and "Ads/Analytics".
Missing x-bluecoat-application-groups field
Solution is following. So far it works for me(Splunk 7.2.6, SGOS 6.7.2.1).
Add to transforms.conf
[auto_kv_for_bluecoat_v6_7_x]
REGEX = ^(?:"([^"]+)"|([^"]\S*))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"|(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s+(?:"([^"]+)"|([^"]\S*))\s*(?:"([^"]+)"|([^"]\S*))?\s*(?:"([^"]+)"|([^"]\S*))?\s*(?:"([^"]+)"|([^"]\S*))?\s*(?:"([^"]+)"|([^"]\S*))?\s*$
FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 s_supplier_name::$13 s_supplier_name::$14 s_supplier_ip::$15 s_supplier_ip::$16 s_supplier_country::$17 s_supplier_country::$18 s_supplier_failures::$19 s_supplier_failures::$20 x_exception_id::$21 x_exception_id::$22 sc_filter_result::$23 sc_filter_result::$24 cs_categories::$25 cs_categories::$26 cs_Referer::$27 cs_Referer::$28 sc_status::$29 sc_status::$30 s_action::$31 s_action::$32 cs_method::$33 cs_method::$34 rs_Content_Type::$35 rs_Content_Type::$36 cs_uri_scheme::$37 cs_uri_scheme::$38 cs_host::$39 cs_host::$40 cs_uri_port::$41 cs_uri_port::$42 cs_uri_path::$43 cs_uri_path::$44 cs_uri_query::$45 cs_uri_query::$46 cs_uri_extension::$47 cs_uri_extension::$48 cs_User_Agent::$49 cs_User_Agent::$50 s_ip::$51 s_ip::$52 sc_bytes::$53 sc_bytes::$54 cs_bytes::$55 cs_bytes::$56 x_virus_id::$57 x_virus_id::$58 x_bluecoat_application_name::$59 x_bluecoat_application_name::$60 x_bluecoat_application_operation::$61 x_bluecoat_application_operation::$62 x-bluecoat-application-groups::$63 x-bluecoat-application-groups::$64 cs_threat_risk::$65 cs_threat_risk::$66 x_bluecoat_transaction_uuid::$67 x_bluecoat_transaction_uuid::$68 x_icap_reqmod_header::$69 x_icap_reqmod_header::$70 x_icap_respmod_header::$71 x_icap_respmod_header::$72
Add to props.conf
# Supports Bluecoat 6.7 field format
REPORT-auto_kv_for_bluecoat_v6_7_x = auto_kv_for_bluecoat_v6_7_x
I hope it help someone and Add-on be update.
... View more