All Apps and Add-ons

Splunk add-on for Blue Coat ProxySG: Why are the logs arriving fragmented on the Splunk Heavy Forwarder?

o_calmels
Communicator

Hi splunkers!

I just add a new BlueCoat box as my new proxies.
After configured it just like my actual one, the logs arrived on the Heavy Forwarder ethernet interface, but they arrived fragmented on multiple small frames, With approx 1600 Users logged on this new proxy, I'm quite sure that the logs received are not complete.

My SGOS version is 6.7.3.1

Does anybody encounter this kind of problem?

Thanks.

Olivier.

0 Karma

sduchene_splunk
Splunk Employee
Splunk Employee

Olivier : to complete micahkemp answer :

1. can you share your inputs and props config using btool ? (ec : command to list props is : ./splunk cmd btool props list )

2.please do check internal log for fragmentation to validate that splunk is splitting events and not something else in the chain (a syslog server could split for example) : search for index=_internal sourcetype=splunkd truncating.

0 Karma

micahkemp
Champion

Can you add some more context to your post? Maybe include some sample events showing how they are fragmented.

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

How do you send your data ?
If you send by syslog, some options on syslog server are sending data by block, not taking into account the end of the line to cut the blocks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...