Hi,

I have Splunk 8.1.4 with Splunk Add-on for CISCO ESA 1.5.0. I also have the old  app Cisco Secuirty Suite that even though it does not support Splunk 8.1.4, it shows results so I planned to get inspired by its query for Message tracking--> Transaction details.

index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" subject="*TEST*"

I think the ESA events are getting correctly to Splunk, I use Syslog Connector for Splunk. 

The test I performed is the following :

1. send an email from my corporate email to GMAIL with the subject TEST

2. simply reply from gmail.

With the above query I would expect to see two events but I only see the outgoing event.

I tried to filter by recipient and it thrown zero results.

index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="xxxx@yyy.zz" dest_interface="*" policy_direction="*"

If I do a simpler query without the transaction command, I can see an event with the right internal recipient which corresponds to the incoming email that I could not find previously. But in that event there is no field subject.

index=cisco eventtype=cisco-esa  recipient="xxxx@yyy.zz"

Could someone help me out with some query that consolidate inbound /outbound emails with filtering capabilities?

thanks