Actually I believe I have fixed the issue I'm having (signature aliases for both malware and intrusion detection data models). I've removed the FIELDALIASES that try and create the fields required, and replace it with my own in local directory... props.conf [cisco:estreamer:data] EVAL-signature = coalesce(msg,detection) ... View more

This doesn't have seem to fix the field aliases.. I'm having the EXACT same problem, only seems to be having issues with signature for intrusion detection data model. Splunk version: 7.2.6 ... View more