- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to troubleshoot why the Cisco eStreamer for Sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to troubleshoot why the Cisco eStreamer for Splunk dashboards are empty?
New to using this app.
eStreamer is running, there is data in the estreamer.log.nnnnnnnnnnn files,
The index is searchable, but nothing is showing up in the dashboards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:
eStreamer eNcore
https://splunkbase.splunk.com/app/3662/
eNcore Dashboard
https://splunkbase.splunk.com/app/3663/
It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.
Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your search head and indexer the same instance?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The app was installed and configured by Splunk Services.
There is a SH with Splunk Enterprise Security installed, two HFs, and two autoLB indexers.
The eStreamer index is populated with current data. The index is searchable from the search head.
The application appears to only be installed on one of the HFs.
My thought is that Splunk Services intended to have the dashboards accessible from the HF so as not to interfere with Splunk ES
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason why the eStreamer dashboard fails to populate is because the heavy forwarder is not a search head.
You will need to install the eStreamer app on a search head for the dashboards to populate. However, I would think the eStreamer app is installed on the search head because of the field alias mappings for Enterprise Security. Check to see if the eStreamer app is set not to be visible. Maybe the installer choose to use the Firesight TA instead.
*Warning
I do not know if the eStreamer app will interfere with Enterprise Security on your current search head. My organization has yet to purchase ES. Maybe setup a test search head instance and install eStreamer there.
*
End Warning
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
