All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Fix Cisco Security Suite eStreamer data not populating problem

philip_w
Explorer
‎08-01-2017 01:55 AM

I found "Sourcefire IPS" section in Cisco Security Suite didn't have any data or chart populated.
Drill down a bit, it's because 2 macros relying on are referring to index=estreamer. In case of using eventgen, simulation data is output to index=main. If we're capturing eStreamer data and not specify index=estream, would also cause the same problem. I suggest Splunk would update the app and take away such dependence.

My interim solution is to have following macros.conf in local to override default macros.conf

[SfeS-estreamer-logs]
definition = sourcetype=estreamer OR sourcetype=cisco:sourcefire

[SfeS-client-check-logs]
definition = sourcetype=client_check

alt text

alt text

Preview file
334 KB
Preview file
190 KB
0 Karma
Reply

htidore
Path Finder
‎10-25-2017 12:05 AM

There are two problems with Cisco Security Suite v312 using Cisco eStreamer eNcore addon for Splunk v300 (for FMC v6).
The first one is Cisco Security Suite expects logs in index called estreamer. The solution is create inputs.conf under opt/splunk/etc/apps/TA-eStreamer/local/

[monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/data]
disabled = false
index = estreamer

[script://./bin/splencore.sh start]
disabled = 0
index = estreamer

[script://./bin/splencore.sh status]
disabled = 0
index = estreamer

The second problem is the macro used in Cisco Security Suite. The solution is to create etc/apps/Splunk_CiscoSecuritySuite/local/macros.conf

[SfeS-index]
definition = index=estreamer

[SfeS-estreamer-logs]
definition = `SfeS-index` sourcetype=cisco:estreamer:data

[SfeS-client-check-logs]
definition = `SfeS-index` sourcetype=cisco:estreamer:status
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...