I am collecting my blue coat logs into several syslog servers, and sending into Splunk with universal forwarders on each.
My proxy's are running the latest SGOS; I know there is a difference in several V6's.
My etc/local/inputs.conf on my UF's was not working at all when I had sourcetype = bluecoat:proxysg:access:file
, so I tried using bluecoat:proxysg:access:syslog
, and I began to immediately see data. The problem with my data is that I am not seeing the field extractions I expect to see. Did anyone have to create a local props.conf and/or transforms.conf? If so, can you post them here?
Also, what Splunk app should I use to create some canned reports? Is there one I should use, or I can alter to make work with this add-on?
Thank you in advance.
I should have updated this question to reflect my latest changes; prebuilt panels were already added.
What I am looking for is an app that properly searches my index; the latest version of the Bluecoat app does not seem to work.
Thank you.
This exists:
https://splunkbase.splunk.com/app/2624/
That said, it is not specifically for Bluecoat, but is for any CIM-compliant proxy data. It also uses Accelerated Data Models for the reporting, so that is something to be aware of (check the docs)
Thank you David, I'll give this a go in the next 2-3 weeks; disk space is a commodity at the moment; hoping to get this installed before .conf 😉
Your user report is definitely one report I am looking for.