Hello all! 🙂
I am pretty new to Splunk and it has been badly deployed in our distributed environment and I am trying to sort it out as much as I can.
The issue I am facing currently is with the Splunk for Blue Coat ProxySG app and it gives me the errors shown below:
[splunkindexersrv] Traceback (most recent call last):
[splunkindexersrv] KeyError: 'dest_host'
[splunkindexersrv] File "/opt/splunk/var/run/searchpeers/splunkshsrv-1452578380/apps/maps/bin/geoipcmd.py", line 59, in <module>
[splunkindexersrv] File "/opt/splunk/var/run/searchpeers/splunkshsrv-1452578380/apps/maps/bin/geoip.py", line 199, in process_csv_stream
[splunkindexersrv] preprocess_row=preprocess)
[splunkindexersrv] ip = row[ip_field]
Can you guys please guide me through, keeping in mind I am a newbie at this? I will be really grateful for any help.
Thanks!
If you look in the app, in the "appserver/addons/" directory, there is a folder called TA-BlueCoat. This needs to be installed on your indexers. Did you do this?
Have you installed the additional requirements and distributed the TA to your indexers? This app is just not a search time application, it has indexer side requirements.
Dependencies
The app requires the Google Maps (http://splunk-base.splunk.com/apps/22365/google-maps) app from Splunkbase. You do not need to install this apps if you do not wish to use the mapping features. However, the main dashboard will not render properly without the above apps.
Installing
If you want to use the map feature, install the app dependencies from Splunkbase. If you are running a distributed splunk setup, the app contains an Add-on that you can install on the indexers. Otherwise, you just need to install the app from splunk base.
Thank you so much for the reply.
The bluecoat logs were being sent to one of the search heads directly, recently they were moved to the heavy forwarder. I don't think the google maps app is installed on the HF. I will install it and get back to you with the results.
Thanks again!
I reinstalled the app on the HF as well and restarted the app, but it is still showing the same error.
The only thing visible on the bluecoat app is the "requests over time" but there's no visibility of the users or the web pages they are visiting. I do see the world map though from google apps 😄
Hi @saadmalik83
Can you specify which "bluecoat app" you're talking about exactly? There are several in Splunkbase. Which of these are you actually referring to?
Splunk for Blue Coat ProxySG:
https://splunkbase.splunk.com/app/245/
Splunk for Blue Coat CacheFlow:
https://splunkbase.splunk.com/app/430/
Blue Coat ProxySG App for Splunk:
https://splunkbase.splunk.com/app/2815/
...or another one? That was just to name a few. It'll be helpful for other users to help you, and I can retag your post so it's tagged with the actual app in question.
Hello !
Thanks for the reply
It's the Splunk for Bluecoat ProxySG app.