Solved: Re: Events are gibberish

marc_anthony · ‎08-12-2013

Hey guys, running into a big of a problem with this app. We're testing the feasibility of replacing Blue Coat Reporter with Splunk but I'm not having much luck getting it to work. I've got Splunk installed and up-to-date. The Google Maps app is installed. I've setup the data input and set the log types to bcoat_log. To be safe, I created a new log type using the fields listed in the app documentation called "splunk". I'm getting data into Splunk but the logs are gibberish. The host name is correctly identified but the event data is unusable. Here is a sample of one of the logs.

100 » 8/12/13
1:25:04.000 PM

xF5x83xE5Z?xEFx9CxF2hxEQxF3x83$xF9YxA7x8EQxBDN=xFpZxB0>mx87x14xC3ϏLx15xF8
host=labproxysg Options| sourcetype=bcoat_proxysg Options| source=tcp:20108 Options

The code on my lab SG is 6.5.1.1. Splunk is version 5.0.4. Blue Coat app is version 3.0.7.

Any ideas?

marc_anthony · ‎08-12-2013

The problem was that I was sending the files over in GZip form instead of text.

View solution in original post

yhamza · ‎11-05-2013

No answer to this? I have the same problem, is there a way to transform the input so that the data is uncompressed?
I mean configuring Splunk to decompress the stream of logs.

marc_anthony · ‎08-12-2013

The problem was that I was sending the files over in GZip form instead of text.

Ayn · ‎08-12-2013

What kind of data are you sending to the port TCP/20108?

Events are gibberish

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!