I think I finally got it working correctly 🙂 It seems that the transforms.conf file in the Splunk for BlueCoat app is wrong.
Original transforms.conf
[delimExtractions]
DELIMS=" "
FIELDS="date","time","time_taken","dvc_ip","user","user_group","x_exception_id","filter_result","category","http_referrer","holder","http_response","action","http_method","http_content_type","uri_scheme","dest_host","dest_port","uri_path","uri_query","uri_extension","http_user_agent","src_ip","sc_bytes","cs_bytes","x_virus_id"
[nullPound]
REGEX = ^\#
DEST_KEY=queue
FORMAT=nullQueue
When I switch "dvc_ip" and "src_ip" in the above, all graphs are correctly displayed.
According to the Blue Coat documentation ("SGOS Volume 8: Access Logging"), "src_ip" is actully the 4th field and "dvc_ip" is the 4th last field.
After copying the default transforms.conf file to the local directory and changing it like this:
[delimExtractions]
DELIMS=" "
FIELDS="date","time","time_taken","src_ip","user","user_group","x_exception_id","filter_result","category","http_referrer","holder","http_response","action","http_method","http_content_type","uri_scheme","dest_host","dest_port","uri_path","uri_query","uri_extension","http_user_agent","dvc_ip","sc_bytes","cs_bytes","x_virus_id"
everything works.
... View more