All Apps and Add-ons

Events are gibberish

marc_anthony
Engager

Hey guys, running into a big of a problem with this app. We're testing the feasibility of replacing Blue Coat Reporter with Splunk but I'm not having much luck getting it to work. I've got Splunk installed and up-to-date. The Google Maps app is installed. I've setup the data input and set the log types to bcoat_log. To be safe, I created a new log type using the fields listed in the app documentation called "splunk". I'm getting data into Splunk but the logs are gibberish. The host name is correctly identified but the event data is unusable. Here is a sample of one of the logs.

100 » 8/12/13
1:25:04.000 PM

xF5x83xE5Z?xEFx9CxF2hxEQxF3x83$xF9YxA7x8EQxBDN=xFpZxB0>mx87x14xC3ϏLx15xF8
host=labproxysg Options| sourcetype=bcoat_proxysg Options| source=tcp:20108 Options

The code on my lab SG is 6.5.1.1. Splunk is version 5.0.4. Blue Coat app is version 3.0.7.

Any ideas?

0 Karma
1 Solution

marc_anthony
Engager

The problem was that I was sending the files over in GZip form instead of text.

View solution in original post

0 Karma

yhamza
New Member

No answer to this? I have the same problem, is there a way to transform the input so that the data is uncompressed?
I mean configuring Splunk to decompress the stream of logs.

0 Karma

marc_anthony
Engager

The problem was that I was sending the files over in GZip form instead of text.

View solution in original post

0 Karma

Ayn
Legend

What kind of data are you sending to the port TCP/20108?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.