Splunk Enterprise Security

Enterprise Security: why is sourcetype="bluecoat:proxysg:admin:file" tagged as error

Motivator

The bluecloat sourcetype "bluecoat:proxysg:admin:file" is tagged as error. It's also not listed at Sourcetypes for the Splunk Add-on for Symantec Blue Coat ProxySG

Why is it?

0 Karma

Communicator

The eventtype "err0r" from the Splunk_SA_CIM is a very broad search.. that is almost a catch all

SplunkTrust
SplunkTrust

Do you happen to have the Splunk TA *nix app installed? That has some very open tag=error searches.
You can see this by checking the eventtypes involved where you see tag=error....