We opened a ticket with Cisco and were pointed towards this bug entry: CSCuz95008
It appears to be that the Cisco eStreamer for Splunk App (currently v2.2.2) does not support the eStreamer user metadata format which was changed in 6.0. We are currently using Cisco FMC 6.1.0.1, Splunk 6.5.2 and eStreamer 2.2.2. As a result, our connection events reference a numerical value for the 'user' field instead of the actual username.
... View more