All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Bluecoat App

andiaye
Explorer
‎11-18-2013 06:57 AM

Hello,

I have installed Bluecaot proxySG app on my Splunk.

Related to the procedure below :

In Splunk, you will need to add a new TCP Data input. The app expects the source type to be bcoat_log. You may choose something different, but you will need to modify the app as well. Too add this input, log into Splunk and click on Manager. Under the Data section, click on "Data inputs". Then click on "Add new" for a TCP input. On this page, you can enter the port number, 20108 for example. You can optionally override the source name as well. Leave "Set sourcetype" as "From list", and choose bcoat_log from the dropdown list. Click on more settings, and set the index for this source to be bcoat_logs.

I configure my BC to send logs file to the splunk serve but the app dashboard display any result.

When I search whith index=bcoat_logs, I can see logs information. And a search with the sourcetype=bcoat_log, I have no results.

Do you an idea why it does not work ?

Thank you in advance.

0 Karma
Reply

kvatinelle
Engager
‎11-20-2013 02:09 AM

I am also in the same issue.

I followed the tips in this page. But I keep getting a blank page in "BlueCoat Traffic Overview".

Hopefully someone will have another idea ?

Best Regards

0 Karma
Reply

andiaye
Explorer
‎11-19-2013 02:46 AM

Thank you for your answer.
After editing, it change nothing for the results.

When I search with the index or with bcoat_request in the BC App Search Tab, I have see some logs with sourcetype="bcoat_proxysg" and source=bcoat.

But sourcetype="bcoat_proxysg" gives no results. I try this line (No results):
bcoat_request filter_result="DENIED" src_ip != "-" | top src_ip limit=10 countfield="Requests" | rename src_ip as "Client IP"

No Dashboard display.

Any idea ?

Thanks in advance.

0 Karma
Reply

andiaye
Explorer
‎11-19-2013 08:22 AM

I add the index bcoat_logs in Indexes searched by default.
By typing just the name the index display some result.

But it changes nothing for the App dashboard, i.e it does not work.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎11-19-2013 07:28 AM

Your list of default indexes searched (that is, if you don't explicitly say "index=...") is just "main" by default. Check out the roles (in the Manager under Access Controls) to see the "list of indexes searched by default".

(Or just type the name of the index in your searches....)

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎11-18-2013 08:11 AM

This app remaps incoming data from the "bcoat_logs" sourcetype to "bcoat_proxysg" (for matching events). When searching via the search bar, use the latter sourcetype. The app itself is keyed on the latter type, so your dashes should work just fine.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...