My ironport logs are not getting parsed incorrectly into the Email data model. The logs all come individually and as seperate events for each MID. I installed the add-on and that created some of the needed CIM and fields, including internal_message_id. The search
index=email sourcetype="cisco:esa:textmail" | transaction internal_message_id
Give me the email as one unit. When I run:
| tstats values(All_Email.src_user) values(All_Email.action) values(All_Email.recipient) values(All_Email.src) FROM datamodel=Email WHERE sourcetype="cisco:esa:textmail" BY All_Email.subject
I get the subject, however the other fields are "unknown".
I created a Transaction Dataset to combine the fields on internal_message_id but that didn't fix anything.
If you download my companion add-on it will take care of this for you and collect the fields into a separate summary index every hour.
See https://github.com/inspired/TA-cisco-esa-extras
You will still need the Splunk Add-on for Cisco ESA