Re: Cisco Secure eStreamer Client Autolookup estre...

elee_splunk · ‎07-06-2021

After updating our TA we realized the action field autolookup wasn't working anymore. Digging through the TA I see in the props.conf the autolookup "LOOKUP-estreamer_fw_action" is commented out. Is there a reason this was done?

@douglashurd - Can you please advise. Thanks!

douglashurd · ‎07-06-2021

Thanks for the question. A few questions:

What event type did you lose the field in?

What version of the TA are you using?

Please email the details to encore-community@cisco.com for a slight quicker response.

Thanks,

Doug

elee_splunk · ‎07-07-2021

I lost action field in the firewall rule logging cisco:estreamer:data. There is a field called fw_rule_action but there is supposed to be an autolookup that translates the fw_rule_action to action.

I am using 4.6.0 but I downloaded and check 4.6.1 and 4.6.2 and all of them have the line for the autolookup commented out.

I have emailed encore-community@cisco.com for further support.

Thanks!

Cisco Secure eStreamer Client Autolookup estreamer_fw_action commented out

props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation