Troubleshoot the Splunk Add-on for Cisco ESA
General troubleshooting
For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Missing source types
If you suspect that some of your Cisco ESA data is not arriving, run the following search for each Cisco ESA source type you want to check for. The sources are cisco:esa:authentication, cisco:esa:textmail, cisco:esa:http, and cisco:esa:amp:
| stats count | append [ search sourcetype=<Cisco ESA sourcetype> | head 1 | stats count] | stats sum(count) as count | eval message=if(count=0, "Data is missing for <Cisco ESA sourcetype>", "Data is collected for <Cisco ESA sourcetype>") | table message
Source types for the Splunk Add-on for Cisco ESA | Release notes for the Splunk Add-on for Cisco ESA |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!