It appears the BlueCoat TA is unable to ingest .gz files - even when it is zipped by the Blue Coat proxy itself. Attempting to ingest them actually causes the entire forwarder to crash. I've attempted this on a Linux 6.3 and then a 6.4 universal forwarder (I haven't tried it with a HF).
I've manually run gunzip on some of these files and the TA seems to ingest them without a problem.
In our environment, we bypassed the issue by ingesting the data with a basic app. We intended to use the transforms elsewhere at index/search-time, but found that the the initial Blue Coat headers were dropped causing the TA to lose its ability to dynamically parse the data correctly.
Is anyone else using this TA to ingest .gz files?
Thanks,
sounds like you were using bluecoat:proxysg:access:file sourcetype to leverage INDEXED_EXTRACTIONS. is that correct?
if so, you can try to use sourcetype bluecoat:proxysg:access:syslog with the recommended log format configured (default bcereportermain_v1) on the bluecoat side: http://docs.splunk.com/Documentation/AddOns/latest/BlueCoatProxySG/Sourcetypes