Solved: Re: App for Web Proxies: Why is Action showing as ...

JSapienza · ‎02-03-2017

The "Traffic Over Time by Action" search shows 3 actions, allowed, blocked, and unknown. Can't seem to figure out where the unknown is coming from. Does anyone have any ideas ?

dshpritz · ‎02-03-2017

That's going to depend on your extractions and data. Try a search like:

| datamodel Web Proxy search | search Web.action="unknown"

to get an idea of what the data looks like.

View solution in original post

dshpritz · ‎02-03-2017

That's going to depend on your extractions and data. Try a search like:

| datamodel Web Proxy search | search Web.action="unknown"

to get an idea of what the data looks like.

JSapienza · ‎02-03-2017

there are 7 vendor actions values being reported.

dshpritz · ‎02-03-2017

There are a few issues here.

The first is that some of these field values are malformed, or the value appears to be from bad extractions ("TCP_N", "image/gif").

The second is that there is a lookup in the app called bluecoat_proxy_actions.csv which translates the "vendor_action" to the "action" field, and it appears to be missing some possible "vendor_action" values. You can add these values yourself, but you should also open a ticket with Splunk, as this will need to be corrected in the Addon, so that when you update it it doesn't cause problems.

JSapienza · ‎02-03-2017

I see what you mean now. I forgot to look at the Splunk_TA_bluecoat-proxysg addon. I reviewed the transforms.conf and the bluecoat_proxy_actions.csv.

woodcock · ‎02-21-2017

Don't forget to click Accept to close the question.

dshpritz · ‎02-03-2017

Yep, you are correct, this is an issue with the Splunk_TA_bluecoat-proxysg.

JSapienza · ‎02-03-2017

The first thing I looked at was the data model but nothing really jumped out at me.

Here is the difference between an allowed event and an unknown.

Allowed:

2017-02-03 15:21:30 69 10.85.41.46 USER - - OBSERVED "Technology/Internet" http://www.thesaurus.com/  307 TCP_NC_MISS GET text/plain;%20charset=utf-8 http pippio.com 80 /api/sync ?pid=5324&_=2&it=1&iv=edd1ff81b318d46b03033683c60946f8fe5fcda1ce073be51c831f1733e9a3fe791426b5417dce21 - "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" 10.2.0.100 955 840 - "none" "none" 7f75283638fa5134-0000000004402ac9-0000000058949ffa - "{ %22expect_sandbox%22: false }"

Unknown:

2017-02-03 15:31:13 9 10.30.1.26 USER - - OBSERVED "Technology/Internet" -  200 TCP_ACCELERATED CONNECT - tcp www.googletagmanager.com 443 / - - "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" 10.2.0.100 39 230 - "none" "none" 7f75283638fa5134-000000000441aeee-000000005894a241 - -

looks like there is confusion with the field "200 TCP_ACCELERATED CONNECT"

dshpritz · ‎02-03-2017

Is this bluecoat data? what is the value of the "vendor_action" field for the events?

JSapienza · ‎02-03-2017

yes this is Blue Coat ProxySG.

dshpritz · ‎02-03-2017

what is the value of the "vendor_action" field for the events?

App for Web Proxies: Why is Action showing as Unknown

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes