Just tested using source in the props stanza name (source is define in inputs.conf) and it's still picking up the index time as the timestamp 😞

Hi @Utkc137 ,

did you tried with the sourcetype "bluecoat"?

that should be the one you assigned to your input.

Ciao.

Giuseppe

Hi @Utkc137 ,

then, where do you located the add-on?

it should be in the first HF data passed through or (if HFs aren't present) in the Indexers.

Ciao.

Giuseppe

Just tested with bluecoat sourcetype .. no luck.

It's a standalone splunk instance (dev env).

Hi @Utkc137 ,

sorry for the very stupid question: did you restarted your Splunk server after conf update?

Could you share the inputs.conf you are using?

Please thy this:

[bluecoat]
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=^
rename=bluecoat:proxysg:access:syslog

[bluecoat:proxysg:access:syslog]
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=^
pulldown_type = true
category = Network & Security
description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog
KV_MODE = none
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE=true
MAX_DAYS_AGO = 10951
TRUNCATE  = 64000

in local/props.conf

Ciao.

Giuseppe

For testing, I tied the props you provided along with these inputs.conf

Test 1:

[splunktcp://9997]
index = mmsproxy
source = tcp.bluecoat
sourcetype = bluecoat:proxysg:access:syslog
disabled = false

Test 2:

[splunktcp://9997]
index = mmsproxy
source = tcp.bluecoat
sourcetype = bluecoat
disabled = false

Restarted Splunk on both these tests. Still no luck.

Port 9997 is a reserved port for splunk - if this is an external stream from syslog or any other source please select a different port.

Example

port=2514

I selected that as 514 is syslog reserved and 1514 I have seen for TCP encrypted syslog so best to just get up and away from that.  But by keeping the *514 format it will be easier for others who may inherit your setup to know instinctively that it's a syslog source.

This the configuration I have as of now .. I am out of reasons on why this would not work.  Am I missing something very basic here?

Inputs:

./splunk btool inputs list --debug splunktcp://2514
/opt/splunk/etc/system/local/inputs.conf   [splunktcp://2514]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/system/local/inputs.conf   disabled = false
/opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup
/opt/splunk/etc/system/local/inputs.conf   index = mmsproxy
/opt/splunk/etc/system/local/inputs.conf   source = tcp.bluecoat
/opt/splunk/etc/system/local/inputs.conf   sourcetype = bluecoat:proxysg:access:syslog

Props:

./splunk btool props list --debug bluecoat | grep -ie local
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   [bluecoat]
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   TIME_FORMAT = %Y-%m-%d %H:%M:%S
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   TIME_PREFIX = ^
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   rename = bluecoat:proxysg:access:syslog
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   [bluecoat:proxysg:access:syslog]
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   EVENT_BREAKER_ENABLE = true
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   KV_MODE = none
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   MAX_DAYS_AGO = 10951
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   SHOULD_LINEMERGE = false
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   TIME_FORMAT = %Y-%m-%d %H:%M:%S
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   TIME_PREFIX = ^
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   TRUNCATE = 64000
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   category = Network & Security
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf   pulldown_type = true

Hi @Utkc137 ,

sorry, but you're receiving logs from BlueCoat using syslog or from another Splunk Forwarder? usually BlueCoat uses syslogs not a Splunk Forwarder.

splunktcp inputs is for log forwarding from another Splunk system not using syslogs!

Ciao.

Giuseppe

Switched the inputs to 2154 .. still no luck.

Yes, I did restart splunk after each conf change 🙂

Here's the inputs.conf

[splunktcp://9997]
index = mmsproxy
source = tcp.bluecoat
sourcetype = bluecoat:proxysg:access:syslog
disabled = false

Will check you props too and respond back in a few min

Can you share the inputs stanza you have for listening to the TCP stream?

Inside the default application props is:

[bluecoat]
rename=bluecoat:proxysg:access:syslog

This occurs at search time only per the instructions at:

https://docs.splunk.com/Documentation/Splunk/9.3.0/Admin/Propsconf#Sourcetype_configuration

rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
  sourcetype=<string>
* To search for the original source type without renaming it, use the
  field _sourcetype.
* Data from a renamed sourcetype only uses the search-time
  configuration for the target sourcetype. Field extractions
  (REPORTS/EXTRACT) for this stanza sourcetype are ignored.
* Default: empty string

This leaves any _time extraction issues with the source type identified in the inputs.conf stanza.

Also, the sourcetype I used originally is also mentioned in the inputs.conf .. and remains the same until the logs are ingested