Make the bluecoat sourcetype match the sourcetype defined in the Splunk bluecoat addon

[myriadic]

What is the sc4s version ? most recent

Is there a pcap available? no

What the vendor name? Symantec

What's the product name? BluecoatProxy

** Feature Request description: ** Make the bluecoat sourcetype match the sourcetype defined in the Splunk bluecoat addon

** Should it support TCP or UDP?** UDP

** Do you want to have it for local usage or prepare a github PR? ** github PR

The Bluecoat addon has "KV_MODE = none" for the bluecoat sourcetype, which means the field extractions will have to match the SC4S format.

The issue with this is that SC4S strips out the timestamp. For the field extractions to work, even after making the sourcetypes match, the timestamps in the bluecoat addon need to be marked as optional in the field extraction REGEX

[mstopa-splunk]

Hi @myriadic thanks for catching this.

sourcetype fix should be merged in one of the next releases: https://github.com/splunk/splunk-connect-for-syslog/pull/2370 In the meantime I will pass the info about incorrect REGEX to the addon owners. Can you send me an example of the event to test? The one we have in repo is not super useful for this.

[mstopa-splunk]

sourcetype fix released in v3.25.0, regex needs to be fixed on the add-on side, please send a few samples to [email protected] or to Splunk support