Splunk® Supported Add-ons

Splunk Add-on for Symantec Blue Coat ProxySG and ASG

Troubleshoot the Splunk Add-on for Symantec Blue Coat ProxySG

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. You can also access these support and resource links in Splunk Add-ons.

Finding legacy data

If you had a previous version of the Splunk Add-on for Symantec Blue Coat ProxySG installed, your legacy events are indexed using sourcetype=bluecoat. This version of the add-on renames that sourcetype. You can find all new events using sourcetype=bluecoat:proxysg:access:syslog.


Slow search performance

If you are using only one specific version of Blue Coat logs, you can comment out the Report-auto_kv lines for the unused versions in default/props.conf to improve search performance.

Fields are not extracted correctly using syslog

Check that you are using the correct sourcetype in your input configuration. For UDP or TCP inputs, the correct sourcetype is bluecoat:proxysg:access:syslog.

If you are using a UDP or TCP input with the correct sourcetype and the field extractions are not working, your field names or field order may have been customized in Blue Coat ProxySG. Check the fields:

  1. Open $SPLUNK_HOME/etc/apps/Splunk_TA_bluecoat-proxysg/default/transforms.conf.
  2. Identify the auto_kv_for_bluecoat stanza that matches your version of Blue Coat ProxySG.
  3. Compare the field names in the FORMAT line against the file header in your logs.
  4. If they do not match, make a local copy of this transforms.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_bluecoat-proxysg/local/.
  5. In the local copy, adjust the FORMAT line to match your logs and make any corresponding changes necessary to the regular expression.

Fields are not extracted correctly using file monitoring

Check that you are using the correct sourcetype in your input configuration. For a file monitoring input, the sourcetype should be bluecoat:proxysg:access:file.

If you are using a file monitoring input with the correct sourcetype and the field extractions are not working, check to make sure the file header in your log file is correct for file content. The Splunk platform extracts all fields based on the headers at the beginning of each file. If your field definitions change mid-file, the Splunk platform cannot detect the shift.

Last modified on 15 September, 2022
Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG   Lookups for the Splunk Add-on for Symantec Blue Coat ProxySG

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters