Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk cloud and Cisco Secure eStreamer Client Add-On

hendriks
Path Finder
‎11-14-2023 08:51 AM

Is the app (Cisco Secure eStreamer Client Add-On[https://splunkbase.splunk.com/app/3662]) even usable on splunkcloud? I can install it from the "browse more apps" page in the cloud app management area, but it seems i will not be able to set it up or use it, as

1) it requires you to edit a config file on disk;
2) it writes the data it retreives from Cisco to a local disk;
3) it is not possible to create a disk monitor in splunkcloud. 

Only real option seems to be to use a heavy forwarder.

Any suggestions?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2023 11:18 AM

Firstly, it's a Cisco-provided app. Vendor-created app are, unfortunately, often sub-par written. They do understand their own products but they often do not understand Splunk well enough.

Secondly, while you probably could edit app's files, pack it and try to deploy in Cloud, the app would probably not pass appinspect.

Thirdly, the description in splunkbase says clearly that it's meant to be installed on a forwarder.

Reply

hendriks
Path Finder
‎11-27-2023 12:30 AM

Thank you for the reply, I missed the "to be installed on a forwarder line" , as it is only 1line in details and not mentioned in installed or anything.  

It actually still is strange that it can be installed on Splunkcloud, as you can't use it there. Even when you can configure it, it wants to right the logs it retreives localy, before ingesting. 

So a HF it is. 

 

Kind regards,

 

Richard

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-27-2023 05:42 AM

I suppose (I haven't seen this particular Add-On) it might contain search-time settings as well. Often add-ons should be installed on several tiers at the same time since they might contain search-time extractions which are effective at SH tier as well as index-time settings (like sourcetype definitions for timestamp extractions and event breaking) which are efective on indexer tier or HF.

Reply

tscroggins
Influencer
‎11-25-2023 09:18 AM

If you have a private link, your Splunk account management team and Splunk support may assist with sizing and configuration; however, I would recommend a heavy forwarder to 1) manage infrastructure and transit costs and 2) limit network access to your FMC to devices under your control. The eStreamer client can also be unstable, and having direct access to the heavy forwarder will reduce your MTTR.

0 Karma
Reply

hendriks
Path Finder
‎11-27-2023 12:31 AM

Thanks, yes that was what I actually already figured out. 

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...