×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
S146547
Engager
Member since: ‎06-23-2017
‎10-15-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 13
Karma Received 0
Member Since ‎06-23-2017
Activity Feed
Topics I've Started
No posts to display.
View All

Re: transaction not working for Cisco ESA data

by in All Apps and Add-ons
‎02-26-2018 02:55 AM
‎02-26-2018 02:55 AM
MID is extracted as internal_message_id - you should use this field when grouping logs back together via transaction or stats. Please note that the issue of having to group logs for a given mail back together stems from the fact that the Ironport ESA add-on does handle this when Splunk is configured to receive text mail logs via rsyslog. This is a non-issue when Splunk is configured to pick up text mail logs via a monitored input (i.e. Ironport is configured to scp/ftp logs to a monitored location), as all logs for a given mail are already grouped together. Although the field extractions defined in the Ironport ESA add-on do work correctly in both ingestion scenarios, an unfortunate side effect of ingesting logs via rsyslog is that the Email CIM datamodel does not get populated correctly. I consider this to be a bug with the add-on and have filed a support case to have the documentation updated to note the issue. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-15-2020 08:58 AM
Karma given to