The "Traffic Over Time by Action" search shows 3 actions, allowed, blocked, and unknown. Can't seem to figure out where the unknown is coming from. Does anyone have any ideas ?
That's going to depend on your extractions and data. Try a search like:
| datamodel Web Proxy search | search Web.action="unknown"
to get an idea of what the data looks like.
That's going to depend on your extractions and data. Try a search like:
| datamodel Web Proxy search | search Web.action="unknown"
to get an idea of what the data looks like.
There are a few issues here.
The first is that some of these field values are malformed, or the value appears to be from bad extractions ("TCP_N", "image/gif").
The second is that there is a lookup in the app called bluecoat_proxy_actions.csv
which translates the "vendor_action" to the "action" field, and it appears to be missing some possible "vendor_action" values. You can add these values yourself, but you should also open a ticket with Splunk, as this will need to be corrected in the Addon, so that when you update it it doesn't cause problems.
I see what you mean now. I forgot to look at the Splunk_TA_bluecoat-proxysg addon. I reviewed the transforms.conf and the bluecoat_proxy_actions.csv.
Don't forget to click Accept
to close the question.
Yep, you are correct, this is an issue with the Splunk_TA_bluecoat-proxysg.
The first thing I looked at was the data model but nothing really jumped out at me.
Here is the difference between an allowed event and an unknown.
Allowed:
2017-02-03 15:21:30 69 10.85.41.46 USER - - OBSERVED "Technology/Internet" http://www.thesaurus.com/ 307 TCP_NC_MISS GET text/plain;%20charset=utf-8 http pippio.com 80 /api/sync ?pid=5324&_=2&it=1&iv=edd1ff81b318d46b03033683c60946f8fe5fcda1ce073be51c831f1733e9a3fe791426b5417dce21 - "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" 10.2.0.100 955 840 - "none" "none" 7f75283638fa5134-0000000004402ac9-0000000058949ffa - "{ %22expect_sandbox%22: false }"
Unknown:
2017-02-03 15:31:13 9 10.30.1.26 USER - - OBSERVED "Technology/Internet" - 200 TCP_ACCELERATED CONNECT - tcp www.googletagmanager.com 443 / - - "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" 10.2.0.100 39 230 - "none" "none" 7f75283638fa5134-000000000441aeee-000000005894a241 - -
looks like there is confusion with the field "200 TCP_ACCELERATED CONNECT"
Is this bluecoat data? what is the value of the "vendor_action" field for the events?
yes this is Blue Coat ProxySG.
what is the value of the "vendor_action" field for the events?