I am collecting my blue coat logs into several syslog servers, and sending into Splunk with universal forwarders on each.
My proxy's are running the latest SGOS; I know there is a difference in several V6's.
My etc/local/inputs.conf on my UF's was not working at all when I had sourcetype = bluecoat:proxysg:access:file, so I tried using bluecoat:proxysg:access:syslog, and I began to immediately see data. The problem with my data is that I am not seeing the field extractions I expect to see. Did anyone have to create a local props.conf and/or transforms.conf? If so, can you post them here?
Also, what Splunk app should I use to create some canned reports? Is there one I should use, or I can alter to make work with this add-on?