Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk cloud and Cisco Secure eStreamer Client Add-On

hendriks
Path Finder
‎11-14-2023 08:51 AM

Is the app (Cisco Secure eStreamer Client Add-On[https://splunkbase.splunk.com/app/3662]) even usable on splunkcloud? I can install it from the "browse more apps" page in the cloud app management area, but it seems i will not be able to set it up or use it, as

1) it requires you to edit a config file on disk;
2) it writes the data it retreives from Cisco to a local disk;
3) it is not possible to create a disk monitor in splunkcloud. 

Only real option seems to be to use a heavy forwarder.

Any suggestions?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2023 11:18 AM

Firstly, it's a Cisco-provided app. Vendor-created app are, unfortunately, often sub-par written. They do understand their own products but they often do not understand Splunk well enough.

Secondly, while you probably could edit app's files, pack it and try to deploy in Cloud, the app would probably not pass appinspect.

Thirdly, the description in splunkbase says clearly that it's meant to be installed on a forwarder.

Reply

hendriks
Path Finder
‎11-27-2023 12:30 AM

Thank you for the reply, I missed the "to be installed on a forwarder line" , as it is only 1line in details and not mentioned in installed or anything.  

It actually still is strange that it can be installed on Splunkcloud, as you can't use it there. Even when you can configure it, it wants to right the logs it retreives localy, before ingesting. 

So a HF it is. 

 

Kind regards,

 

Richard

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-27-2023 05:42 AM

I suppose (I haven't seen this particular Add-On) it might contain search-time settings as well. Often add-ons should be installed on several tiers at the same time since they might contain search-time extractions which are effective at SH tier as well as index-time settings (like sourcetype definitions for timestamp extractions and event breaking) which are efective on indexer tier or HF.

Reply

tscroggins
Champion
‎11-25-2023 09:18 AM

If you have a private link, your Splunk account management team and Splunk support may assist with sizing and configuration; however, I would recommend a heavy forwarder to 1) manage infrastructure and transit costs and 2) limit network access to your FMC to devices under your control. The eStreamer client can also be unstable, and having direct access to the heavy forwarder will reduce your MTTR.

0 Karma
Reply

hendriks
Path Finder
‎11-27-2023 12:31 AM

Thanks, yes that was what I actually already figured out. 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...