All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cisco Firepower App for Splunk : "no results found"

joeri_fierens
New Member
‎11-06-2019 07:42 AM

Hi all,
- Splunk Enterprise Version: 8.0.0 Build: 1357bef0a7f6
-Cisco Firepower App for Splunk version 1.3.7
-Cisco eStreamer eNcore for Splunk version 3.6.5

We've successfully setup estreamer between Splunk and our FMC, when I search in the Splunk events for sourcetype="cisco:estreamer:data", I see thousands of recent events (last 24 hours = 260416 events)

However, when I go to the Cisco firepower app for Splunk, all dashboards display "No results found".
I went over the documentation a few times, but as far as I can see, we did everything correctly.

Does anyone have an idea why the app doesn't seem to see/process the estreamer events?

Best regards,
Joeri

0 Karma
Reply

chris_barrett
SplunkTrust
SplunkTrust
‎03-23-2020 05:36 AM

The app defines a macro called FMC-index which, by default, refers to the main and estreamer indexes. If your events are not in either of those indexes then you'll need to change the macro's definition to refer to the correct index.

0 Karma
Reply

joeri_fierens
New Member
‎11-06-2019 11:50 PM

Hi Alex, it's a stand alone ubuntu server (test environment), so I guess it is not the same issue as you've experienced.
Joeri

0 Karma
Reply

alexgwilkinson
Explorer
‎11-06-2019 05:43 PM

Hi Joeri,

Is this a Splunk cluster ? Or stand alone ?

Within a clustered environment I have found I needed the TA on both the index nodes AND search head nodes.

-Alex

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...