All Apps and Add-ons

Splunk for Blue Coat ProxySG: Dashboards and reports are working, but why is the app not mapping the fields?

yhamza
New Member

I got the Splunk for Blue Coat ProxySG app and it's working properly. All the dashboards and reports are working perfectly. However, the Splunk TA for Blue Coat is not mapping the fields. In fact, even the Blue Coat fields are not visible outside the context of the Blue Coat App. I checked the permissions on the app objects and they seem OK.

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

This sounds like permissions. Check app's object permissions in introspection_generator_addon.

graissaguel
Explorer

I had the same issue, and yes it was permission issue => Go to "Manage Apps" - "View objects" for Blue Coat app and change sharing permissions

0 Karma

ssuresh
Explorer

Try to check the log format from bluecoat proxy.

yhamza
New Member

It's Bluecoat reporter main.

0 Karma

ssuresh
Explorer

Even though its BC SG Main format may be admin has changed the format of the logging. Need to check the Props file of TA on what type of format it is referring and check back in Bluecoat SG Main settings for the same.

0 Karma

yhamza
New Member

I mentioned above that the Splunk App for Bluecoat ProxySG is already recognizing the log, as per the app documentation we setup a TCP source and set the sourcetype to bcoat_log. In the app the data show up as bcoat_proxysg with all the fields in the right place. The problem is that, out of the app's context, none of the fields are visible.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...