All Apps and Add-ons

What versions of these 2 apps are compatible: Splunk Common Information Model (CIM) add-on and the Cisco eStreamer eNcore Add-on for Splunk?



We recently upgraded to the latest eStreamer eNcore app from Cisco ( and are also using the new dashboard for the same (, although neither of them list any CIM versions under the compatibility section.

And the only Add-on for eStreamer which does lists CIM compatibility is ( Built by Splunk, not Cisco).

Is this still the correct add-on to be used for adding CIM compatibility to sourcefire data pulled by eStreamer eNcore app?


to make eStreamer data CIM Compatible?

Path Finder

Please use the Splunk Add-on for Cisco FireSIGHT - 1808.

Please note that at present Splunk Add-on for Cisco FireSIGHT searches for “cisco:sourcefire” events, therefore you will need to apply some kind of renaming or adjust the sourcetype values so they match.

For example navigate to Settings > Fields > Sourcetype renaming and change from sourcetype="cisco:estreamer:data" to sourcetype="cisco:sourcefire”

0 Karma

Splunk Employee
Splunk Employee

After re-casting of sourcetype, will field extractions match up between the field names as presented by the encore eStreamer AddOn and the old Cisco FireSIGHT , or, is it expected to redo field aliasing between fields from new eStreamer AddOn and old Cisco FireSIGHT ?

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...