Check the following things on the CLI: /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh test should produce this message as the last line: 2020-12-02 22:27:20,963 Diagnostics INFO Connection successful If it is success-full, check this command, if not skip to the next bit. /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh status It should say: status_id=1 status="Running" If these things check out, but you still have errors, navigate to the TA-eStreamer bin directory, located in $SPLUNK_HOME/etc/apps/TA-eStreamer/bin. Open the splencore.sh with your favorite editor, look at the following and make sure it reflects your path: #This is commented out by default, pleaes set this to the home
#directory of your Splunk Heavy Forwarder
SPLUNK_HOME=/opt/splunk
#This may be needed for CentOS, run this outside of the shell
LD_LIBRARY_PATH=/opt/splunk/lib That got rid of the error messages. I did come from an upgrade. I decided to get rid of this deployment and followed these steps: https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_409.html#_Toc529958489 I did find this in the inputs; the TA is looking for data to be written to: $SPLUNK_HOME/etc/apps/TA-eStreamer/data in the inputs.conf # Where data is written to
[monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/data]
disabled = 0
source = encore
sourcetype = cisco:estreamer:data
crcSalt = <SOURCE> This directory does not exist. Instead the files are written to: /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk
... View more