All Apps and Add-ons

Splunk for Blue Coat ProxySG: Dashboards and reports are working, but why is the app not mapping the fields?

yhamza
New Member

I got the Splunk for Blue Coat ProxySG app and it's working properly. All the dashboards and reports are working perfectly. However, the Splunk TA for Blue Coat is not mapping the fields. In fact, even the Blue Coat fields are not visible outside the context of the Blue Coat App. I checked the permissions on the app objects and they seem OK.

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

This sounds like permissions. Check app's object permissions in introspection_generator_addon.

graissaguel
Explorer

I had the same issue, and yes it was permission issue => Go to "Manage Apps" - "View objects" for Blue Coat app and change sharing permissions

0 Karma

ssuresh
Explorer

Try to check the log format from bluecoat proxy.

yhamza
New Member

It's Bluecoat reporter main.

0 Karma

ssuresh
Explorer

Even though its BC SG Main format may be admin has changed the format of the logging. Need to check the Props file of TA on what type of format it is referring and check back in Bluecoat SG Main settings for the same.

0 Karma

yhamza
New Member

I mentioned above that the Splunk App for Bluecoat ProxySG is already recognizing the log, as per the app documentation we setup a TCP source and set the sourcetype to bcoat_log. In the app the data show up as bcoat_proxysg with all the fields in the right place. The problem is that, out of the app's context, none of the fields are visible.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.