All Apps and Add-ons

Splunk Add-on for Blue Coat ProxySG: Why are field extractions not working? Is there an app with prebuilt reports?

nychawk
Communicator

I am collecting my blue coat logs into several syslog servers, and sending into Splunk with universal forwarders on each.

My proxy's are running the latest SGOS; I know there is a difference in several V6's.

My etc/local/inputs.conf on my UF's was not working at all when I had sourcetype = bluecoat:proxysg:access:file, so I tried using bluecoat:proxysg:access:syslog, and I began to immediately see data. The problem with my data is that I am not seeing the field extractions I expect to see. Did anyone have to create a local props.conf and/or transforms.conf? If so, can you post them here?

Also, what Splunk app should I use to create some canned reports? Is there one I should use, or I can alter to make work with this add-on?

Thank you in advance.

0 Karma

nychawk
Communicator

I should have updated this question to reflect my latest changes; prebuilt panels were already added.

What I am looking for is an app that properly searches my index; the latest version of the Bluecoat app does not seem to work.

Thank you.

0 Karma

dshpritz
SplunkTrust
SplunkTrust

This exists:

https://splunkbase.splunk.com/app/2624/

That said, it is not specifically for Bluecoat, but is for any CIM-compliant proxy data. It also uses Accelerated Data Models for the reporting, so that is something to be aware of (check the docs)

0 Karma

nychawk
Communicator

Thank you David, I'll give this a go in the next 2-3 weeks; disk space is a commodity at the moment; hoping to get this installed before .conf 😉

Your user report is definitely one report I am looking for.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!