The splencore scripts will only run when run by Splunk itself - they're not designed to be run directly by the user. (They rely on environment variables specific to the Splunk user).

Navigate to app settings in Splunk – from the home page, click the “cog” icon

Find Cisco eStreamer eNcore for Splunk and click “Set-up”

At a minimum:

• enter the “FMC hostname or IP address” and
• check the “Process PKCS12 file?”. Optionally enter a password here

Each time you load this page, “Process PKCS12 file” is reset to “no” and the password is not saved. It used once to process the PKCS12 file using openSSL and store a public-private key pair.

Now enable the data inputs in Splunk.

Navigate to Settings > Data Inputs > Files & Directories and enable the single TA-eStreamer app input (cisco:estreamer:data) – this is the where the main output data files are saved

Now navigate to Settings > Data Inputs > Scripts and enable the three TA-eStreamer inputs:

• cisco:estreamer:clean – this script has no output but is used to delete data files older than 12 hours
• cisco:estreamer:log – this script uses the stdout of eNcore to take program log data. This becomes very useful where things are not going to plan
• cisco:estreamer:status – this script runs periodically to maintain a clear status of whether the program is running or not

Finally, once you have fully configured the collector and enabled the inputs, navigate back to the set-up page in app settings, enable eNcore (“is enabled?”) and press save.

To check the status, search for sourcetype="cisco:estreamer:status"
To check more detailed log output, search for sourcetype="cisco:estreamer:log"
To look for eStreamer data, search for sourcetype=" cisco:estreamer:data"