Hello all, It seems that the auto key-value extraction for the "Splunk for Blue Coat" APP does not work with ProxySG 6.6.xx [auto_kv_for_bluecoat_v6_5_x] REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\.... After migration to .6.6, the extraction for User and date don't work. Also, the filter result is set to proxied whatever happened. Does anyone have new extractions for 6.6.xx??? Splunk Version 6.1 Splunk for Blue Coat 3.0.7 Regards Michael ... View more

Hi, I plan to connect windows Server to the Infrastructure APP and have some network design restrictions. Due to the infrastructure deployment it would be helpful to cascade universal forwarder with heavy forwarders. The heavy forwarders are directly in front of the Indexer Cluster. Is this generally possible and how could this configured or are there some functional restrictions? The use case is to connect Windows Server to the Windows infrastructure APP without direct connection to the indexer. Splunk Version 6.1 Many thanks in advanced ... View more