<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Cisco eNcore eStreamer fields value changed (5.4 -&amp;gt; 6.1) in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-eNcore-eStreamer-fields-value-changed-5-4-gt-6-1/m-p/320716#M59849</link>
    <description>&lt;P&gt;You need to check field extraction for the affected sourcetype in props.conf and transforms.conf in the app, or you can send sample from affected log line and the application url on splunkbase to check.&lt;/P&gt;</description>
    <pubDate>Thu, 05 Apr 2018 09:39:47 GMT</pubDate>
    <dc:creator>aakwah</dc:creator>
    <dc:date>2018-04-05T09:39:47Z</dc:date>
    <item>
      <title>Cisco eNcore eStreamer fields value changed (5.4 -&gt; 6.1)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-eNcore-eStreamer-fields-value-changed-5-4-gt-6-1/m-p/320715#M59848</link>
      <description>&lt;P&gt;HI, splunker.&lt;/P&gt;

&lt;P&gt;I'm testing two different versions of the estreamer app. (FMC : 5.4, 6.1  / Splunk App : 1629, 3662)&lt;BR /&gt;
I found two problems with the encore version. (3662) and rec_type=400.&lt;/P&gt;

&lt;P&gt;1) src_ip_country is okay (string), but dest_ip_country is number.&lt;BR /&gt;
2) In the FMC 5.4 and Splunk App 1629, the fw_rule value is displayed as a letter, &lt;BR /&gt;
    but in the FMC 6.1 and Splunk App 3662 version it is displayed as a number.&lt;/P&gt;

&lt;P&gt;I wonder if this is a bug or is it intended.&lt;BR /&gt;
If it is a bug, would you tell me which python source to modify?&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 18:56:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cisco-eNcore-eStreamer-fields-value-changed-5-4-gt-6-1/m-p/320715#M59848</guid>
      <dc:creator>golsida</dc:creator>
      <dc:date>2020-09-29T18:56:03Z</dc:date>
    </item>
    <item>
      <title>Re: Cisco eNcore eStreamer fields value changed (5.4 -&gt; 6.1)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-eNcore-eStreamer-fields-value-changed-5-4-gt-6-1/m-p/320716#M59849</link>
      <description>&lt;P&gt;You need to check field extraction for the affected sourcetype in props.conf and transforms.conf in the app, or you can send sample from affected log line and the application url on splunkbase to check.&lt;/P&gt;</description>
      <pubDate>Thu, 05 Apr 2018 09:39:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cisco-eNcore-eStreamer-fields-value-changed-5-4-gt-6-1/m-p/320716#M59849</guid>
      <dc:creator>aakwah</dc:creator>
      <dc:date>2018-04-05T09:39:47Z</dc:date>
    </item>
    <item>
      <title>Re: Cisco eNcore eStreamer fields value changed (5.4 -&gt; 6.1)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-eNcore-eStreamer-fields-value-changed-5-4-gt-6-1/m-p/320717#M59850</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/150695"&gt;@aakwah&lt;/a&gt;&lt;/P&gt;

&lt;P&gt;I think props.conf and transforms.conf does not matter.&lt;BR /&gt;
Because, python source code did not define some field.&lt;/P&gt;

&lt;P&gt;For example, $SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore/estreamer/adapters/splunk.py file does not define DESTINATION_IP_COUNTRY, destinationCountry &lt;BR /&gt;
and $SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore/estreamer/metadata/view.py file does not define DESTINATION_IP_COUNTRY.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 18:56:28 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cisco-eNcore-eStreamer-fields-value-changed-5-4-gt-6-1/m-p/320717#M59850</guid>
      <dc:creator>golsida</dc:creator>
      <dc:date>2020-09-29T18:56:28Z</dc:date>
    </item>
    <item>
      <title>Re: Cisco eNcore eStreamer fields value changed (5.4 -&gt; 6.1)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-eNcore-eStreamer-fields-value-changed-5-4-gt-6-1/m-p/320718#M59851</link>
      <description>&lt;P&gt;I didn't check the app yet, but for checkpoint app for example the scripted input role is to retrieve the data from the source then field extraction is the responsibility of searchheads via transforms and props.conf. &lt;/P&gt;

&lt;P&gt;Once you have the data into the index you can extract the fields the way you like.&lt;/P&gt;</description>
      <pubDate>Fri, 06 Apr 2018 07:30:45 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cisco-eNcore-eStreamer-fields-value-changed-5-4-gt-6-1/m-p/320718#M59851</guid>
      <dc:creator>aakwah</dc:creator>
      <dc:date>2018-04-06T07:30:45Z</dc:date>
    </item>
  </channel>
</rss>

