All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

BlueCoat Cacheflow with splunk 6.2

Buhl3r
New Member
‎10-23-2015 03:49 AM

Hello All,

I started by installing the bluecoat app for splunk, to find out that is not compatible with Splunk 6.2.
Also, I noticed that most of the searches are from proxy_sg that I don't need becuase I dont have a proxysg.

I pretend develop a Dashboard for the most important information that we can get from bluecoat logs.

I'm trying to understand what's searches to include. Anyone have any searches that can be applied to the Bluecoat Cacheflow? Like user with more hits, most cached sites, etc.

Below is an example of the file:

Software: CacheFlow 3.4.2.2

Version: 1.0

Start-Date: 2015-10-22 11:49:11

Date: 2015-09-30 22:52:05

Fields: date time c-ip time-taken sc-status sc-bytes cs-bytes rs-bytes sr-bytes s-action cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) cs-ip cs-categories c-uri x-exception-id rs(Content-Type)

Remark: 4612230005 "CF01-BC-LAD-CT-FILDA" "10.35.87.34" "main"

2015-10-22 11:49:11 10.114.172.124 11 200 8040 599 0 0 TCP_HIT GET http mt0.googleapis.com 80 /vt ?pb=!1m5!1m4!1i13!2i4400!3i4300!4i256!2m3!1e0!2sm!3i325000000!3m9!2spt-PT!3sUS!5e18!12m1!1e50!12m3!1e37!2m1!1ssmartmaps!4e0!5m1!5f2 - "Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13A452 Safari/601.1" 195.8.11.50 "none" http://mt0.googleapis.com/vt?pb=!1m5!1m4!1i13!2i4400!3i4300!4i256!2m3!1e0!2sm!3i325000000!3m9!2spt-P... - image/png
2015-10-22 11:49:11 10.114.202.235 4177 200 292 491 292 491 TCP_NC_MISS POST http api.gifshow.com 80 /rest/n/system/speed ?did=7D42619E-4F4F-4F88-8278-54E5C7793CFD&mod=iPhone7,2&sys=ios8.3&net=%E4%B8%AD%E5%9B%BD%E7%A7%BB%E5%8A%A85&c=a&ver=4.73 - "kwai-ios" 180.186.38.200 "none" http://api.gifshow.com/rest/n/system/speed?did=7D42619E-4F4F-4F88-8278-54E5C7793CFD&mod=iPhone7,2&sy... - application/json;charset=UTF-8
2015-10-22 11:49:11 10.115.180.166 30005 503 915 3028 0 0 TCP_ERR_MISS POST http statsfe2.update.microsoft.com 80 /ReportingWebService/ReportingWebService.asmx - asmx "Windows-Update-Agent/7.9.9600.18066 Client-Protocol/1.21" 65.52.108.153 "none" http://statsfe2.update.microsoft.com/ReportingWebService/ReportingWebService.asmx tcp_error -

All help is welcome. Thanks.
Buhl3r

0 Karma
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎10-27-2015 02:08 PM

This format matches the proxySG logging format. You can try this TA: https://splunkbase.splunk.com/app/2758/

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...