Check the following things on the CLI:    /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh test   should produce this message as the last line:   2020-12-02 22:27:20,963 Diagnostics INFO Connection successful   If it is success-full, check this command, if not skip to the next bit.   /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh status   It should say:    status_id=1 status="Running"   If these things check out, but you still have errors, navigate to the TA-eStreamer bin directory, located in $SPLUNK_HOME/etc/apps/TA-eStreamer/bin.  Open the splencore.sh with your favorite editor, look at the following and make sure it reflects your path:   #This is commented out by default, pleaes set this to the home #directory of your Splunk Heavy Forwarder SPLUNK_HOME=/opt/splunk #This may be needed for CentOS, run this outside of the shell LD_LIBRARY_PATH=/opt/splunk/lib   That got rid of the error messages. I did come from an upgrade. I decided to get rid of this deployment and followed these steps: https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_409.html#_Toc529958489 I did find this in the inputs; the TA is looking for data to be written to: $SPLUNK_HOME/etc/apps/TA-eStreamer/data in the inputs.conf # Where data is written to [monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/data] disabled = 0 source = encore sourcetype = cisco:estreamer:data crcSalt = <SOURCE>   This directory does not exist. Instead the files are written to: /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk ... View more

A copy of the _RAW log would help. But I think I believe you might be missing the named group, for the new field you are extracting. Give this a go: rex field=time "2017/05/02 06:31:(?<seconds>\d{2}" ... View more