Hi,
We recently upgraded to the latest eStreamer eNcore app from Cisco ( https://splunkbase.splunk.com/app/3662) and are also using the new dashboard for the same ( https://splunkbase.splunk.com/app/3663), although neither of them list any CIM versions under the compatibility section.
And the only Add-on for eStreamer which does lists CIM compatibility is https://splunkbase.splunk.com/app/1808 ( Built by Splunk, not Cisco).
Is this still the correct add-on to be used for adding CIM compatibility to sourcefire data pulled by eStreamer eNcore app?
Thanks,
~Abhi
to make eStreamer data CIM Compatible?
Please use the Splunk Add-on for Cisco FireSIGHT - 1808.
Please note that at present Splunk Add-on for Cisco FireSIGHT searches for “cisco:sourcefire” events, therefore you will need to apply some kind of renaming or adjust the sourcetype values so they match.
For example navigate to Settings > Fields > Sourcetype renaming
and change from sourcetype="cisco:estreamer:data" to sourcetype="cisco:sourcefire”
After re-casting of sourcetype, will field extractions match up between the field names as presented by the encore eStreamer AddOn and the old Cisco FireSIGHT , or, is it expected to redo field aliasing between fields from new eStreamer AddOn and old Cisco FireSIGHT ?