Deploying eNcore eStreamer 3.6.1 I have found that the field alias for intrusion signatures is not being applied in my searches:
./splunk cmd btool props list cisco:estreamer:data | grep ALIAS ... FIELDALIAS-estreamer_intrusion_signature = msg AS signature FIELDALIAS-estreamer_severity = priority AS severity FIELDALIAS-estreamer_src = src_ip AS src
Attached is a screenshot for one event, you can see that src and severity are there, but there is no signature. Without the fieldalias, anything in the Intrusion Data Model has unknown for the signature of the attack in it.
I got the same issue but with eStreamer 4.2 and 4.0. If you are using Splunk 7.2 or later, there is a limitation you can't use two field aliases for the same field. Take a look into signature aliase:
You need to remove the overwrite on both Field Aliases.
Actually I believe I have fixed the issue I'm having (signature aliases for both malware and intrusion detection data models).
I've removed the FIELDALIASES that try and create the fields required, and replace it with my own in local directory...
props.conf [cisco:estreamer:data] EVAL-signature = coalesce(msg,detection)
This doesn't have seem to fix the field aliases.. I'm having the EXACT same problem, only seems to be having issues with signature for intrusion detection data model.
Splunk version: 7.2.6