What versions of these 2 apps are compatible: Splu...

att35 · ‎08-28-2017

Hi,

We recently upgraded to the latest eStreamer eNcore app from Cisco ( https://splunkbase.splunk.com/app/3662) and are also using the new dashboard for the same ( https://splunkbase.splunk.com/app/3663), although neither of them list any CIM versions under the compatibility section.

And the only Add-on for eStreamer which does lists CIM compatibility is https://splunkbase.splunk.com/app/1808 ( Built by Splunk, not Cisco).

Is this still the correct add-on to be used for adding CIM compatibility to sourcefire data pulled by eStreamer eNcore app?

Thanks,

~Abhi
to make eStreamer data CIM Compatible?

sastrach · ‎08-29-2017

Please use the Splunk Add-on for Cisco FireSIGHT - 1808.

Please note that at present Splunk Add-on for Cisco FireSIGHT searches for “cisco:sourcefire” events, therefore you will need to apply some kind of renaming or adjust the sourcetype values so they match.

For example navigate to Settings > Fields > Sourcetype renaming and change from sourcetype="cisco:estreamer:data" to sourcetype="cisco:sourcefire”

smitra_splunk · ‎03-31-2018

After re-casting of sourcetype, will field extractions match up between the field names as presented by the encore eStreamer AddOn and the old Cisco FireSIGHT , or, is it expected to redo field aliasing between fields from new eStreamer AddOn and old Cisco FireSIGHT ?

What versions of these 2 apps are compatible: Splunk Common Information Model (CIM) add-on and the Cisco eStreamer eNcore Add-on for Splunk?

Unleash Unified Security and Observability with Splunk Cloud Platform

Enterprise Security Content Update (ESCU) | New Releases

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!