Instead of using the Regex, I am actually using the delimeters option which I find it to be much easier to configure.
This is an example of how mine looks like. You will need to change the delimters accordingly in the transforms.conf to match what you are outputting from your Bluecoat.
props.conf
[bcoat_proxysg]
TRANSFORM-main=nullPound
REPORT-main=delimExtractions
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%d %T
MAX_TIMESTAMP_LOOKAHEAD=19
KV_MODE = none
transforms.conf
[delimExtractions]
DELIMS=" "
FIELDS="date","time","time_taken","dvc_ip","user","user_group","x_exception_id","filter_result","category","http_referrer","holder","http_response","action","http_method","http_content_type","uri_scheme","dest_host","dest_port","uri_path","uri_query","uri_extension","http_user_agent","src_ip","sc_bytes","cs_bytes","x_virus_id"
[nullPound]
REGEX = ^\#
DEST_KEY=queue
FORMAT=nullQueue
... View more