None of these regex work to extract http_user_agent. Did anyone get it right? ... View more

Haha, I did that already. I had to adjust a little bit the bluecoat add-on transform.conf file, two last fields in Regex were messing the logs and I had to adjust them a bit to include dashes while extracting. It was mostly UA field that in Regex that was really messing the logic and didn't want to extract the fields from the logs since it didn't recognize a dash if the UA was missing in the specific log. ... View more

thanks for the input ... View more

Not sure why regex is getting cut off. I attached the regex below. ... View more

Under the "Extract Fields" page, it shows that these fields should have been extracted. All fields are recognized correctly and circled with different colors. ( ?=[^p]*(?:portal.threatpulse.net|p.*portal.threatpulse.net))^(?P[^ ]+)\s+(?P[^ ]+)[^ \n]* (?P\d+)(?:[^ \n]* ){9}(?P\w+)[^"\n]*"(?P[^"]+)"\s+\-\s+(?P\d+)[^ \n]* (?P[^ ]+)\s+(?P\w+)\s+(?P[^ ]+)[^ \n]* (?P[a-z]+)\s+(?P\w+\.\w+\.\w+)\s+(?P[^ ]+)(?:[^ \n]* ){5}(?P\d+\.\d+\.\d+\.\d+)\s+(?P\d+)\s+(?P\d+\s+\-) Here is the log which fields are not getting extracted: 2016-01-15 17:08:58 56 10.167.7.93 - - portal.domain.net x.x.x.x None - - OBSERVED "Technology/Internet" - 302 TCP_NC_MISS GET text/html http portal.threatpulse.net 80 / - - - 172.16.167.104 177 80 - "none" "none" 3 454f7877563349f7-00000000027dbbf5-00000000569927aa Well, only half of fields are getting extracted to be more specific, protocol, dest_host, and dest_port are not extracted. Not sure why this is not working as any others. It should have been. ... View more

Thanks for moving it. ... View more

I tried that too, and it wasn't really helpful. I will need to dump all of the logs that the BC add-on doesn't recognize and sort them and see how many rex queries I will need to write. Thanks for your help! ... View more

If I would do one long rex for each different type of proxy logs, there would be a lot of work to do. Since you have one long rex which is really specific to that single type of proxy logs, you would need to create tons of them. I was looking for something more general, and wasn't sure how to create it. In my logs, I've been seeing a lot of different field structures. Not sure why. 2016-01-14 00:42:32 284 10.130.16.102 - - proxy.domain.net x.x.x.x None - - PROXIED "Social Networking" http://www.domain.com/article/david-bowie-blackstar-album-sales-networth 200 TCP_NC_MISS GET application/javascript;%20charset=utf-8 http platform.domain.com 80 /widgets.js - js "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36" 172.16.130.10 27626 726 - "Widgets" - none OR 2016-01-14 00:42:03 1 10.130.0.156 - - 0.0.0.0 - Invalid - invalid_request PROXIED - - 400 TCP_NC_MISS unknown - - - 0 / - - - 172.16.130.10 842 152 - "none" "none" none I have plenty of others that don't lay out together. I would work on it and try to figure something out, but if you have any idea how to approach it, I would really appreciate. ... View more

I can't find bzip2 in the bin directory, is there a way to threat done like gz files. ... View more

Would you mind sharing stanza for it? ... View more

Can you let me know what the stanza should be? ... View more

would that work on the Windows box? ... View more

no errors, would this be something related to https://answers.splunk.com/answers/8521/can-splunk-read-bluecoat-logs-formatted-and-compressed-as-log-gz-done-file-type.html ... View more

I am just fine with reading .gz files, I can't read gz.done files from the same folder. ... View more

And it doesn't collect these files. ... View more

That's what I have: [monitor://E:\Server1\BCT-GW-SG\*.done] sourcetype = bluecoat:proxysg:access:file disabled = false index=proxy ... View more