All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to receive intrusion event packet data field > 4k from FMC into splunk using Cisco security cloud integration

yssplunker
New Member
a week ago

Hi All,

As old estreamer add -on is replaced by new app Cisco security cloud ( https://splunkbase.splunk.com/app/7404) , we have installed new app and testing in distributed environment. We are facing one issue with intrusion event packet logs which are streaming from FMC into splunk. Whenever "packet data" field in intrusion event packets greater than 4k bytes, it is missing in splunk logs.Only packetdata field is missing, remaining complete log is visible in splunk. And there are no errors related to parsing, truncating issues in splunk _internal index.

Does anyone has faced the same issue or any fix for this?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
Super Champion
a week ago

Hi @yssplunker 

Please could you confirm the sourcetype of your data? Looking in the app, most of the sourcetypes have TRUNCATE=0 which means they shouldnt be truncated, although not all of them!

Please let me know which sourcetype you are having with and I'll check that specifically.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

yssplunker
New Member
a week ago

Sourcetype is "cisco:sfw:estreamer" and i am using with default app settings .

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...