I was wondering if anyone else has seen their event count drop (down to 10%?) after the FirePower team updates signatures on the Defense Center?
In the last couple months I saw this happen twice, once I was running 'Firepower eNcore Add-On for Splunk' v4.0.7 then once when I was running 3.6.8 (I downgraded). The FirePower team says there was nothing abnormal about their update.
I am running ~ Splunk Enterprise 8.4
Upgrading to eNcore 4.0.9 is not an option (forwarder crashed on that version weeks on that ago, we opened a cisco TAC case and they still haven't been able to tell us what happened).
Thanks vikramyadav. The only problem is I also ran into this issue on 4.0.7 and enterprise v8. I could downgrade but I hope to move back to 4.x soon after cisco resolves some of the 4.0.9 bugs (they told me they have to resolve CSCvw51040 and I might also be hitting another bug).