Does the Cisco eStreamer for Splunk app support retrieving payload for intrusion events?
Yes. This is a configurable option in the Splunk eStreamer app because packet data will consume significant disk space if you choose to collect all packets with all IPS/IDS events. Docs on the app here: https://splunkbase.splunk.com/app/1629/#/documentation
View solution in original post