The bluecloat sourcetype "bluecoat:proxysg:admin:file" is tagged as error. It's also not listed at Sourcetypes for the Splunk Add-on for Symantec Blue Coat ProxySG
Why is it?
The eventtype "err0r" from the Splunk_SA_CIM is a very broad search.. that is almost a catch all
Do you happen to have the Splunk TA *nix app installed? That has some very open tag=error searches.
You can see this by checking the eventtypes involved where you see tag=error....