Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk for BlueCoat

pillowhead
Explorer
‎04-12-2010 08:41 PM

Hi, I am using version 4.1 of Splunk and have installed Splunk for BlueCoat. The logs from BlueCoat are using UTC time and I want them to show up as localtime in Splunk. When I change the time format in BlueCoat to use localtime in the log format (W3C ELFF), my Splunk for BlueCoat reports page displays incorrectly. The IP's don't show up correctly, they show up as a 3 digit number and the URL's are missing the domain portion of the URL.

Any suggestions?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Dan
Splunk Employee
Splunk Employee
‎04-13-2010 03:04 PM

The fields are h0rked because the W3C ELFF format introduces spaces into the timestamp, and the space character is being used as the delimiter for field extraction. You would need to modify the list of expected fields in $SPLUNK_HOME/etc/apps/SplunkforBluecoat/default/transforms.conf, here:

[delimExtractions]
DELIMS=" "
FIELDS="date","time","time_taken","dvc_ip","user","user_group","x_exception_id","filter_result","category","http_referrer","holder","http_response","action","http_method","http_content_type","uri_scheme","dest_host","dest_port","uri_path","uri_query","uri_extension","http_user_agent","src_ip","sc_bytes","cs_bytes","x_virus_id"

In addition, if you're changing the format of the timestamp you'll probably also have to change the following line in $SPLUNK_HOME/etc/apps/SplunkforBluecoat/default/props.conf:

TIME_FORMAT=%Y-%m-%d %T

For both changes, the caveat applies of not updating default configs, or any upgrade will revert the changes. The practice is to create the config in local/ and only copy over the settings that are being changed.

Lastly, I would expect that all of this should be moot, since Splunk normalizes any timestamp in the events and stores it internally as UTC anyway. When a user searches for data, the time is then converted to the localtime of the browser. Perhaps I'm not understanding the original issue that prompted you to change to W3C?

View solution in original post

Reply
Solved! Jump to solution

choustonweather
New Member
‎11-04-2010 07:08 PM

Error. In Splunk, I see logs from bluecoat as UTC logs. Everything else I have in Splunk show up as localtime. I have to manually search into the future to see my bluecoat logs which are UTC all the way from bluecoat to the search app in Splunk. I don't see anything in bluecoat for splunk.

0 Karma
Reply
Solved! Jump to solution
Solution

Dan
Splunk Employee
Splunk Employee
‎04-13-2010 03:04 PM

The fields are h0rked because the W3C ELFF format introduces spaces into the timestamp, and the space character is being used as the delimiter for field extraction. You would need to modify the list of expected fields in $SPLUNK_HOME/etc/apps/SplunkforBluecoat/default/transforms.conf, here:

[delimExtractions]
DELIMS=" "
FIELDS="date","time","time_taken","dvc_ip","user","user_group","x_exception_id","filter_result","category","http_referrer","holder","http_response","action","http_method","http_content_type","uri_scheme","dest_host","dest_port","uri_path","uri_query","uri_extension","http_user_agent","src_ip","sc_bytes","cs_bytes","x_virus_id"

In addition, if you're changing the format of the timestamp you'll probably also have to change the following line in $SPLUNK_HOME/etc/apps/SplunkforBluecoat/default/props.conf:

TIME_FORMAT=%Y-%m-%d %T

For both changes, the caveat applies of not updating default configs, or any upgrade will revert the changes. The practice is to create the config in local/ and only copy over the settings that are being changed.

Lastly, I would expect that all of this should be moot, since Splunk normalizes any timestamp in the events and stores it internally as UTC anyway. When a user searches for data, the time is then converted to the localtime of the browser. Perhaps I'm not understanding the original issue that prompted you to change to W3C?

Reply
Solved! Jump to solution

pillowhead
Explorer
‎04-13-2010 04:59 PM

I thought it was an issue because when I viewed the traffic in realtime, it was in UTC time, so I wanted to see it in localtime when I was viewing it in realtime. I didn't realize that the time got normalized. I will just leave it the way it is.

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...