Skip to content

Troubleshoot the Splunk Add-on for Cisco ESA

General troubleshooting

For helpful troubleshooting tips for all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual. For additional resources, see Support and resource links for add-ons in the Splunk Add-ons manual.

To quickly identify potential issues and monitor event ingestion for the Cisco ESA add-on, refer to the Use the Troubleshooting Dashboard section.

Missing source types

If you suspect that some of your Cisco ESA data is not arriving, run the following search for each Cisco ESA source type you want to check for. The sources are cisco:esa:authentication, cisco:esa:textmail, cisco:esa:http, and cisco:esa:amp:

| stats count
| append
    [ search sourcetype=<Cisco ESA sourcetype>
    | head 1
    | stats count]
| stats sum(count) as count
| eval message=if(count=0, "Data is missing for <Cisco ESA sourcetype>", "Data is collected for <Cisco ESA sourcetype>")
| table message