An update for those who may have similar issues: Support for these Technical Apps and the eStreamer protocol interface to Splunk is not provided by either Splunk Support or Cisco Support. Opening tickets with either party did not successfully resolve these questions. The only support currently available for this interface is to use the email splunk_cisco_security_cloud@cisco.com. If staff are available to respond, they will answer some limited questions. Cisco Security confirms that Splunkbase #3662 (TA-eStreamer) has been desupported in 2024, because the eNcore client is it based upon has been desupported. In essence, the eNcore client is being replaced. As a result, it is recommened (by Cisco Security) that systems with Splunkbase #3662 replace it with the new (supported) TA, which is Splunkbase #7404 (Cisco Security Cloud). Cisco Security indicates that the older TA-eStreamer had a maximum expected throughput of under 10,000 events per second, and practically limited to under 8K of continuous throughput. So, applications like our that routinely exceed 8K per second would never have successfully used TA-eStreamer for that performance level. Performance levels for the newer Cisco Security Cloud app (#7404) are expected to be in the maximum range of 15-20K events per second, because it uses a new eStreamer SDK that replaces to decommissioned eNcore client software. Since it is possible our application may rise above that level, I asked if the app potentially supported using things like load balancers to scale beyond 15-20K, but no answer was provided for this question. The Cisco Security team responding to my questions indicated that support for this TA is somewhat limited, with only a best effort support during Eastern US office hours. The Cisco Security team of course also recommends using hardware that follows their documented guidelines and provides sufficient memory, disk, and CPU to run the software at its maximum performance levels. But, once those maximum performance levels are reached (15-20K per second) there is no recommended scaling beyond that. Our team expects to experiment in various setups and architectures to see how far we can push the new TA.
... View more