I am having the same issue now with Bluecoat logs and the splunk addon using indexed extraction type w3c. Unfortunately I cannot apply the proposed solution on the forwarder as I am receiving the logs directly on the indexer. Are there any other options to make the SEDCMD work BEFORE the file gets indexed ?
... View more