mstopa-splunk
commented
3 months ago Hi @myriadic thanks for catching this.
sourcetype fix should be merged in one of the next releases: https://github.com/splunk/splunk-connect-for-syslog/pull/2370 In the meantime I will pass the info about incorrect REGEX to the addon owners. Can you send me an example of the event to test? The one we have in repo is not super useful for this.
What is the sc4s version ? most recent
Is there a pcap available? no
What the vendor name? Symantec
What's the product name? BluecoatProxy
Feature Request description: Make the bluecoat sourcetype match the sourcetype defined in the Splunk bluecoat addon
Should it support TCP or UDP? UDP
Do you want to have it for local usage or prepare a github PR? github PR
The Bluecoat addon has "KV_MODE = none" for the bluecoat sourcetype, which means the field extractions will have to match the SC4S format.
The issue with this is that SC4S strips out the timestamp. For the field extractions to work, even after making the sourcetypes match, the timestamps in the bluecoat addon need to be marked as optional in the field extraction REGEX