Solved: Can Splunk read Bluecoat logs formatted and compre...

BunnyHop · ‎10-29-2010

Rather than forwarding logs from the proxy server (Bluecoat), I would ideally like to see a SplunkLWF on a server that hosts the compressed bluecoat logs. Question is, would SplunkLWF see the contents of a .log.gz.done (which is what Bluecoat Reporter (BC's logging software) renamed the compressed file)?

gkanapathy · ‎10-29-2010

By default, it will not. However, if it really is a gzip file that can be uncompressed with gzip -d, then you can get Splunk to treat it the same as .gz files by adding to props.conf:

[source::....gz.done]
unarchive_cmd = gzip -cd -
sourcetype = preprocess-gzip
NO_BINARY_CHECK = true

View solution in original post

gkanapathy · ‎10-29-2010

By default, it will not. However, if it really is a gzip file that can be uncompressed with gzip -d, then you can get Splunk to treat it the same as .gz files by adding to props.conf:

[source::....gz.done]
unarchive_cmd = gzip -cd -
sourcetype = preprocess-gzip
NO_BINARY_CHECK = true

thambisetty · ‎04-13-2015

its fine if we are monitoring in linux. what about windows? In windows unarchive_cmd=gzip -cd - will not work.

————————————
If this helps, give a like below.

Brian_Osburn · ‎10-29-2010

Splunk handles .gz just fine - it'll unzip it and index it.

BunnyHop · ‎10-29-2010

That part is clear. However, Bluecoat has the function to rename the .gz file to .gz.done to differentiate the ones it has already processed. Would this be an issue?

Can Splunk read Bluecoat logs formatted and compressed as .log.gz.done file type?

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout