Have a look into the logfile (in our install, this was the path, you might have to look for it) /opt/splunk/var/log/splunk/amp4e_events_input.log
look for SSL-errors (supposedly someone screwed up the certificate-handling when packing this app)
did the Handshake-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/5
did the ssl-shared-options-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/12
This atleast got the log to connect and say " INFO Amp4eEvents - Connected. Starting to consume."
... View more