Splunk® Supported Add-ons

Splunk Add-on for Symantec Blue Coat ProxySG and ASG

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot the Splunk Add-on for Symantec Blue Coat ProxySG

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. You can also access these support and resource links in Splunk Add-ons.

Finding legacy data

If you had a previous version of the Splunk Add-on for Symantec Blue Coat ProxySG installed, your legacy events are indexed using sourcetype=bluecoat. This version of the add-on renames that sourcetype. You can find all new events using sourcetype=bluecoat:proxysg:access:syslog.

Data collection for Blue Coat version 5.3.3 logs stops after upgrading the Splunk Add-on

Unlike previous versions, version 3.5.0 of the Splunk Add-on for Symantec Blue Coat ProxySG does not support Blue Coat version 5.3.3 logs by default. If you want to ingest version 5.3.3 logs, complete these steps:

  1. Open or create a local/props.conf file.
  2. Open default/props.conf.
  3. Copy the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in the bluecoat:proxysg:access:syslog stanza in default/props.conf.
  4. Paste the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in the bluecoat:proxysg:access:syslog stanza into local/props.conf.
  5. Uncomment the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in local/props.conf.

Slow search performance

If you are using only one specific version of Blue Coat logs, you can comment out the Report-auto_kv lines for the unused versions in default/props.conf to improve search performance.

Fields are not extracted correctly using syslog

Check that you are using the correct sourcetype in your input configuration. For UDP or TCP inputs, the correct sourcetype is bluecoat:proxysg:access:syslog.

If you are using a UDP or TCP input with the correct sourcetype and the field extractions are not working, your field names or field order may have been customized in Blue Coat ProxySG. Check the fields:

  1. Open $SPLUNK_HOME/etc/apps/Splunk_TA_bluecoat-proxysg/default/transforms.conf.
  2. Identify the auto_kv_for_bluecoat stanza that matches your version of Blue Coat ProxySG.
  3. Compare the field names in the FORMAT line against the file header in your logs.
  4. If they do not match, make a local copy of this transforms.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_bluecoat-proxysg/local/.
  5. In the local copy, adjust the FORMAT line to match your logs and make any corresponding changes necessary to the regular expression.

Fields are not extracted correctly using file monitoring

Check that you are using the correct sourcetype in your input configuration. For a file monitoring input, the sourcetype should be bluecoat:proxysg:access:file.

If you are using a file monitoring input with the correct sourcetype and the field extractions are not working, check to make sure the file header in your log file is correct for file content. The Splunk platform extracts all fields based on the headers at the beginning of each file. If your field definitions change mid-file, the Splunk platform cannot detect the shift.

Last modified on 11 March, 2021
PREVIOUS
Configure logging for backward compatibility with Symantec Blue Coat ProxySG
  NEXT
Lookups for the Splunk Add-on for Symantec Blue Coat ProxySG

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters