I got the same issue but with eStreamer 4.2 and 4.0. If you are using Splunk 7.2 or later, there is a limitation you can't use two field aliases for the same field. Take a look into signature aliase: cisco:estreamer:data : FIELDALIAS-estreamer_intrusion_signature cisco:estreamer:data : FIELDALIAS-estreamer_malware_signature You need to remove the overwrite on both Field Aliases. Regards,
... View more