Getting Data In

Cisco Secure eStreamer Client Autolookup estreamer_fw_action commented out

Loves-to-Learn Everything

After updating our TA we realized the action field autolookup wasn't working anymore. Digging through the TA I see in the props.conf the autolookup "LOOKUP-estreamer_fw_action" is commented out. Is there a reason this was done?


@douglashurd - Can you please advise. Thanks!

Labels (1)
0 Karma


Thanks for the question.  A few questions:

What event type did you lose the field in?

What version of the TA are you using?

Please email the details to for a slight quicker response.





0 Karma

Loves-to-Learn Everything

I lost action field in the firewall rule logging cisco:estreamer:data. There is a field called fw_rule_action but there is supposed to be an autolookup that translates the fw_rule_action to action. 

I am using 4.6.0 but I downloaded and check 4.6.1 and 4.6.2 and all of them have the line for the autolookup commented out.

I have emailed for further support. 



0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...