All Apps and Add-ons

Why is the Splunk Add-on for Blue Coat ProxySG unable to ingest .gz files and causes our Splunk 6.4 universal forwarder to crash?

jhall0007
Path Finder

It appears the BlueCoat TA is unable to ingest .gz files - even when it is zipped by the Blue Coat proxy itself. Attempting to ingest them actually causes the entire forwarder to crash. I've attempted this on a Linux 6.3 and then a 6.4 universal forwarder (I haven't tried it with a HF).

I've manually run gunzip on some of these files and the TA seems to ingest them without a problem.

In our environment, we bypassed the issue by ingesting the data with a basic app. We intended to use the transforms elsewhere at index/search-time, but found that the the initial Blue Coat headers were dropped causing the TA to lose its ability to dynamically parse the data correctly.

Is anyone else using this TA to ingest .gz files?

Thanks,

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

sounds like you were using bluecoat:proxysg:access:file sourcetype to leverage INDEXED_EXTRACTIONS. is that correct?

if so, you can try to use sourcetype bluecoat:proxysg:access:syslog with the recommended log format configured (default bcereportermain_v1) on the bluecoat side: http://docs.splunk.com/Documentation/AddOns/latest/BlueCoatProxySG/Sourcetypes

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...