Per the deployment guide we have three options: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_354.html#_Toc529958496 ■ 0: Send all events from the earliest point available on the Firepower Management Center ■ 1: Send all events that occur after receiving the client request ■ 2: Use a bookmark to pick up where we left off. First run is from 0 So, first modify the file to use option 0. Restart the encore and leave it running some time and verify if you see events. After that you can modify the file to option 1 and restart the encore again and verify if events are seen in encore.
... View more