Are bytes_in & bytes_out inverted in eStreamer Add...

All Apps and Add-ons

@douglashurdI had eStreamer Add-on v5.1.3 installed and believe the bytes-in/bytes-out and packets-in/packets-out are inverted.

From cisco:firepower:syslog

raw event - SrcIP: [Internet-IP], DstIP: [Firewall-IP], InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 54, ResponderBytes: 0

parsed fields - src_ip = [Internet-IP], dest_ip = [Firewall-IP], packets_received = 0, bytes_out = 54,

From cisco:estreamer:data

raw event - src_ip= [Internet-IP], dest_ip= [Firewall-IP], src_pkts=1, dst_pkts=0, src_bytes=54, dest_bytes=0

parsed fields - src_ip = [Internet-IP], dest_ip = [Firewall-IP], packets_in=1 , packets_out=0, bytes_in=54, bytes_out=0

As you can see in the parsed events, that the syslog event indicates 54 bytes sent outbound, while the eStreamer logs indicates the bytes are inbound.

I believe the the raw logs in both cases indicate that the bytes were sent outbound, so I think the cisco:estreamer:data parser may be incorrect here.

Thanks,

Gord T.

Get Updates on the Splunk Community!

Are bytes_in & bytes_out inverted in eStreamer Add-on?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation