All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise not recognizing Splunk Add-on for Cisco ESA

splunkcw17
New Member
‎10-13-2017 01:17 AM

Hi All,

I'm trying to install the Cisco ESA Add-on App https://splunkbase.splunk.com/app/1761/

However when setting this up in Cisco Security Suite, it doesn't recognize the app after I've uploaded it - please see screenshots.

It does however recognize it when configuring a data input, please could you advise?

Thanks!

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎10-13-2017 03:43 PM

the cisco:esa:legacy means you had an older version of the add-on installed before the source types were renamed to follow best practices, your events indexed with the older source types cisco_esa and cisco:esa are now searchable under this new source type.

About data not being visible the email dashboards, there rely on event type = cisco-esa. check your data and see if the event type is present. if you have the latest version of the add-on, they should be.

the eventtype uses this search
(sourcetype="cisco:esa:textmail" OR sourcetype=cisco:esa:legacy) AND (MID OR ICID OR DCID)

Try it and see if you get any results.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

khalidrucker
New Member
‎12-20-2019 05:23 PM

Hello, can you please advise on how you bypassed the original error, "No data found. Please install this add-on"?

0 Karma
Reply

splunkcw17
New Member
‎10-13-2017 03:12 AM

I've got the ESA add-on app loaded and visible in Cisco Security Suite, however ESA logs appear in the main security suite dashboard (with cisco:esa:legacy sourcetype) but not in the 'email security' tab - any ideas on this please?

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...