Thanks for the question.  A few questions: What event type did you lose the field in? What version of the TA are you using? Please email the details to encore-community@cisco.com for a slight quicker response.   Thanks,   Doug ... View more

Please email a link to this thread to encore-community@cisco.com   Thanks,   Doug   ... View more

Thanks for the message!  We're looking at it.  Appreciate all the details.   Doug   ... View more

this will create a race condition for the "All Time" queries, which are discouraged but still an option ... View more

Just need to make sure by 'app' you mean the 3.6.8 TA and you are not referring to the dashboard app, correct? ... View more

I'm not the developer for this code but my colleague is and I will chat with him to try to get a detailed technical answer. That said, I think I can give you some important background and shed some light on your question. In older versions of the eNcore code the Connection Event timestamp we used was derived from the time a connection was concluded. i.e., last packet. This caused some real problems since sometimes connections stay open for a very long time. Seconds? Minutes? Days? Our platform doesn't always age out connections in an orderly process and so we concluded, after a lot of analysis in a few customer environments, that we had to make the initiation of a connection (First packet) the actual timestamp we put in the event. Not sure if you still think a change to the code is needed. We're open minded. ... View more

Thanks for the update. I'll review with our developer. ... View more

we've more recently pushed 3.6.8 with more bug fixes. ... View more

You definitely need to give it a password. Where on the heavy forwarder are you copying the certificate? What directory path? ... View more

Please update to the latest version of the TA. https://splunkbase.splunk.com/app/3662/ If you still have the problem just copy / paste new log data in this forum and we'll make a few suggestions. ... View more

Yes. We added that switch recently. No plans however to pout any sort of decoder into the app. Its been requested a few times. If we can come up with an easy way we will but its not on the roadmap presently. ... View more

3.6.1 has a bug that we discovered on 10/11. We changed default download to 3.5.8. There will be a 3.6.x posted in a few days that will fix the issue. ... View more

We don't perform the HEX to ASCII currently but we may insert a switch into the configuration file that does this. Converting to ASCII creates other problems though as there will be many special characters that don't mean anything. Currently, we assume customers use something like wireshark to perform the decode. With our new Splunk app you can right-click from the payload and link back into the FMC's event view for this event and see the packet decoded in the FMC UI. ... View more

what version of Firepower? eNcore? When you say app, you mean the TA? ... View more

One of our architects here in Cisco tells me that he eliminates DNS requests (Connection Events) from logging and sees a massive reduction. ... View more

There is a detailed document on the syslog output. Do you have it? If you want it please email me dohurd@cisco.com and I'll attach. I cannot attach it here. Doug ... View more

Version 6.3 and 6.4 should work exactly the same. Doug ... View more

We certainly want to move on from eStreamer and it will eventually be replaced with fully qualified events in clear text like syslog direct from the FMC. We've already begun transitioning by offering syslog off the appliance for Intrusion, Connection and File events. I don't have a solid date on the estreamer API however. We're stuck with it for a while. A number of customers have asked for support for multiple FMCs from the same TA. There's a hi level design but its not committed yet. ... View more

Cisco TAC will help you with this even if the TA is not supported. Do you have the latest docs? Version 3.5? ... View more

BTW, 3.5.4 is now the latest version. Bug fixes and huge performance improvements for multi-core installations. New docs too. ... View more

With 6.x firepower you'll want to be on encore version 3.5.4 https://splunkbase.splunk.com/app/3662/ ... View more

Any chance you had Meta Data switched off on the FMC estreamer configuration page? We haven't seen this on other customer sites. ... View more

you have to set $SPLUNK_HOME to the path of where splunk is installed (usually opt/splunk, depends on OS) Is this where splunk is installed? Did you move to Python 2.7? ... View more

If you are using Firepower 6.x then you should use this TA: https://splunkbase.splunk.com/app/3662/ v 3.5.4 And you should use this version of the Dashboard: https://splunkbase.splunk.com/app/3663/ V 3.5.3 2.2.2 is a combined App and TA for Firepower 5.4 customers. It's not going to work well for 6.x customers. Doug ... View more