Cisco Secure eStreamer Client Autolookup estreamer...

elee_splunk · ‎07-06-2021

After updating our TA we realized the action field autolookup wasn't working anymore. Digging through the TA I see in the props.conf the autolookup "LOOKUP-estreamer_fw_action" is commented out. Is there a reason this was done?

@douglashurd - Can you please advise. Thanks!

douglashurd · ‎07-06-2021

Thanks for the question. A few questions:

What event type did you lose the field in?

What version of the TA are you using?

Please email the details to encore-community@cisco.com for a slight quicker response.

Thanks,

Doug

elee_splunk · ‎07-07-2021

I lost action field in the firewall rule logging cisco:estreamer:data. There is a field called fw_rule_action but there is supposed to be an autolookup that translates the fw_rule_action to action.

I am using 4.6.0 but I downloaded and check 4.6.1 and 4.6.2 and all of them have the line for the autolookup commented out.

I have emailed encore-community@cisco.com for further support.

Thanks!

Cisco Secure eStreamer Client Autolookup estreamer_fw_action commented out

props.conf

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?

Cisco Secure eStreamer Client Autolookup estreamer_fw_action commented out

props.conf

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI