Re: How do I set up a daily report (24 hr window) ...

wkinsey2015 · ‎06-24-2015

Customer is asking for two daily report (covering 24 hour window) for the following:(bluecoat)

Peer to Peer traffic analysis report
File sharing system report

Search being used:

Sourcetype=bcoat_proxysg “key value pair that indicates filesharing activity”|table _time  “bluecoat host IP by field extraction name” “status code” “URL_String field extraction” “Categories Field Extraction”

Any suggestions/recommendations would be appreciated.

Thanks,
Bill

fdi01 · ‎06-24-2015

Hello

I think you are looking for this:

earliest=-1d@d+1h latest=-1d@d+2h

try like :

Sourcetype=bcoat_proxysg “key value pair that indicates filesharing activity” earliest=-24h latest=now|table _time “bluecoat host IP by field extraction name” “status code” “URL_String field extraction” “Categories Field Extraction”

rkent · ‎06-24-2015

According to bluecoat's reference, the category name is: "Peer-to-Peer (P2P)". Or from the url, catnum=83?

https://sitereview.bluecoat.com/catdesc.jsp?catnum=83

Here's the full list of categories: https://sitereview.bluecoat.com/categories.jsp

How do I set up a daily report (24 hr window) for Blue Coat proxy logs to search for peer to peer traffic and file sharing?

What’s New & Next in Splunk SOAR

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

September Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

How do I set up a daily report (24 hr window) for Blue Coat proxy logs to search for peer to peer traffic and file sharing?

What’s New & Next in Splunk SOAR

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

September Community Champions: A Shoutout to Our Contributors!