cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jmr
Explorer
Member since: ‎09-08-2023
‎09-21-2023
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎09-08-2023
Activity Feed
View All

Re: Cisco Secure eStreamer Client Add-On for Splun...

by in All Apps and Add-ons
‎09-21-2023 11:15 AM
‎09-21-2023 11:15 AM
Official answer:   We have a default clean up script but it is by no means a full solution, it will age off files that are older than some frequency (in the splencore.sh) script, but if you have a high volume that threshold may not be acceptable.  There are a few options we recommend to our clients:   (#1) In inputs.conf:   Change the monitor stanza to batch, this will delete files upon ingest to Splunk, this is useful if Splunk is only system of record.     (#2)   Sym Link to a NAS drive or larger file system:   If you want to retain the estreamer log files then you could create a sym link to the folder where output is stored, the sym link would need to represent an adequate file capacity, something on the order of /var/log    (#3)   Modify the age off task, its default is 12 hours, but that can be modified, once modified though you will need to update it with new versions of the TA.  This is located in the /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh file, note modifying this file will potentially conflict with future updates of the app, so keep in mind during and upgrade you will need to go back and modify this file after an overwrite   clean() {     # Delete data older than 12 hours -> 720mins ... View more

Cisco Secure eStreamer Client Add-On for Splunk | ...

by in All Apps and Add-ons
‎09-20-2023 06:30 AM
‎09-20-2023 06:30 AM
I am noticing that the eStreamer Client Add-On is generating a lot of logs and filling up my Enterprise Server. Is there any way to mitigate this? It looks like the app will write 1000 lines of code per file. Is there any way to set an overwrite or scavenge setting so it doesn't just keep filling up the disk infinitely?   root@thall-splunk02:/opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk# du -sh /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk/ 87G /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk/ root@thall-splunk02:/opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk# ll total 90725612 drwx--x--- 2 root root 151552 Sep 18 02:06 ./ drwx--x--- 3 root root 4096 Sep 13 12:18 ../ -rw------- 1 root root 27279093 Sep 13 12:18 encore.1694621917.log -rw------- 1 root root 28232829 Sep 13 12:18 encore.1694621924.log -rw------- 1 root root 28304921 Sep 13 12:18 encore.1694621930.log -rw------- 1 root root 28368804 Sep 13 12:19 en ...     wc -l encore.1694630328.log 10000 encore.1694630328.log ... View more

Re: Cisco Secure eStreamer Client Add-On | Install...

by in All Apps and Add-ons
‎09-08-2023 04:18 PM
‎09-08-2023 04:18 PM
Thank you.  ... View more

Cisco Secure eStreamer Client Add-On | Install Loc...

by in All Apps and Add-ons
‎09-08-2023 10:10 AM
‎09-08-2023 10:10 AM
My organization is a Splunk Cloud subscriber, and I am working on installing the Cisco Secure eStreamer Client Add-On. Currently, on-prem, we have one Heavy Forwarder (enterprise server) and two UF forwarding events to our cloud indexer. I am wondering what is the best practice for installing the eStreamer Client Add-On. Does the eStreamer Client Add-On have to be installed on the HF or can it go on the UF? I previously installed it on the HF, but it caused errors with I/O latency (there are many millions of events coming from the Cisco FMC). I'm wondering if there is any way to distribute the load - I know the UF is better for handling many events. Any help would be greatly appreciated.   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-21-2023 02:37 PM