icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Splunkbase will be undergoing a scheduled migration and will be unavailable on Saturday, Oct 1, 2022, from 11AM to 3PM PDT

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cisco AMP for Endpoints Events Input
SHA256 checksum (cisco-amp-for-endpoints-events-input_203.tgz) 81b138c4b5a5cf484ca700a824b109e0a883b2dae82986ea04e54cc912d4bc5e SHA256 checksum (cisco-amp-for-endpoints-events-input_202.tgz) c5c0e5e7445d59e7dbb8b903d30d171fa49ddec28e66be440270de286f1275cc SHA256 checksum (cisco-amp-for-endpoints-events-input_201.tgz) e65d357dcaada4622fa0da55b1cdbe196683a40433d8cc2c8f9cf112699e4cac SHA256 checksum (cisco-amp-for-endpoints-events-input_200.tgz) efb8fc5226be64fc02cabc0d43697ff764509199f583ee20cd236a74af4550a5 SHA256 checksum (cisco-amp-for-endpoints-events-input_118.tgz) 20ff9e79cff0db9dcbda7b095eb7de1d47867ad8e7f8b60bc4f8d45742df1e4f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Cisco AMP for Endpoints Events Input

This app is NOT supported by Splunk. Please read about what that means for you here.
The Cisco AMP for Endpoints Events Input provides a mechanism to create, update, and delete event streams in Cisco Advanced Malware Protection (AMP) for Endpoints via the API and index them in your Splunk® instance to make them searchable. All you need to do is provide your API host and credentials from your AMP for Endpoints account and specify the stream parameters. This app has been tested on Splunk v8.1

Cisco AMP for Endpoints Events Input


This input provides a mechanism to create, update, and delete event streams in Cisco Advanced Malware Protection (AMP) for Endpoints via the API and index them in your Splunk® instance to make them searchable. All you need to do is provide your API host and credentials from your AMP for Endpoints account and specify the stream parameters (like events or which event types and groups should be directed to this stream).
This app was tested on Splunk v8.1


It is expected that a user of this app:

  • is familiar with Cisco AMP for Endpoints and understands the concepts of AMP business, events, event types, and groups.
  • has an account within a working instance of the cloud hosted version of AMP for Endpoints Console. At this point, there is no support for private cloud AMP for endpoint appliances
  • has a set of Read/Write AMP API credentials.
  • knows how to access the event types and groups API endpoints in order to retrieve the codes of event types and guids of groups.


Please ensure that the following url endpoints are open

Public Cloud Regions AMP for Endpoints URL endpoint port protocol
North America api.amp.cisco.com, export-streaming.amp.cisco.com 443 TCP
Europe api.eu.amp.cisco.com, export-streaming.eu.amp.cisco.com 443 TCP
Asia Pacific api.apjc.amp.cisco.com, export-streaming.apjc.amp.cisco.com 443 TCP


This app comes with a custom interface to ensure that every meaningful action (like creating, editing, or deleting an input)
yields expected results.
Please note: This app interacts with a third-party service, namely, Cisco Advanced Malware Protection (AMP) for Endpoints.
This app also uses Splunk’s built-in key-value store for persisting crucial information about event streams.


This app can be installed directly from Splunkbase. The app will appear in your Splunk Apps navigation bar after it is
successfully installed. When you visit one of the app pages, it will ask you to provide settings on the configuration page.
The configuration contains options related to authenticating to the AMP server by API calls, specifically:

  • API host (Web address of the Cisco AMP for Endpoints API found in the AMP for Endpoints API documentation)
  • API id (3rd Party API Client ID provided by AMP for Endpoints. The credentials must allow read and write access.)
  • API key (API secret key that corresponds to the API id above.)

Once these have been configured you are ready to create and use the inputs.

Use cases

Creating an input

You need to create the input to have the events flow into your index. To do this, go to the app interface and navigate to
‘New Input’. If your app is properly configured, you can populate the fields:

  • 'Name' should contain the Input name. The Name must be unique and cannot be changed later. If you attempt to create an input with the Name of an input that already exists, the validation will fail.
  • 'Index' contains the Splunk index the events will be directed to. It defaults to 'main', however you can specify any index within your instance. The index cannot be changed after the input is saved.
  • 'Stream name' should contain the unique name of an event stream. Since event streams can be created not only from Splunk app, but also via the API interface, this name serves a purpose of distinguishing the streams.
  • 'Event Types' allows you to select one or more event types to direct to the stream. You can only select event types that are accessible by your business. Leave this field blank to return all event types.
  • 'Groups' allows you to select one or more connector groups to direct to the stream. Leave this field blank to return all groups in the business.

When you click ‘Save’, the stream with the parameters you provided will be created within AMP for Endpoints.
If there is a validation failure, the appropriate message will be displayed.
Leave either the Event Type or Groups field blank to direct all respective event types or groups to the created stream and the Splunk index.
Please note: the number of event streams per business is limited to 5.

Updating an input

To update an input, click on its name at the inputs list view. Follow the procedures described previously to change the
stream parameters. Please note: you will not be able to edit the input name or index.

Deleting an input

To delete an input, click the ‘Delete’ link in its row at the inputs list view. Confirm your choice to finish the procedure.
The event stream will be deleted from AMP for Endpoints along with the input.

Searching for events

By default, the events from the stream will be directed to the ‘main’ index. They will be populated with the sourcetype of cisco:amp:event


This project is open-source, please seek guidance at project's github page.

Known Issues


ValueError: Expected instance of Parameters, not <URLParameters host=export-streaming.amp.cisco.com port=443 virtual_host=/ ssl=True>
  • This error occurs when two instances of the Pika library are included in your installation. If you encounter this error, check to see if the folder $SPLUNK_HOME/etc/apps/amp4e_events_input/bin/pika/pika exists on your Splunk server. If it does, remove it with:
$ rm -rf $SPLUNK_HOME/etc/apps/amp4e_events_input/bin/pika/pika

If you receive a warning message after updating the app "Warning! It appears your configuration is incomplete, so you will not be able to create any inputs. Please update your configuration."

  • Visit https://\<your splunk address>/en-US/_bump and click the 'Bump version' button
  • Visit the configuration tab within the app and ensure your configurations are correct

Release Notes

Version 2.0.3
June 29, 2022

Updated version tags in xml view files for Splunk Cloud Compliance

Version 2.0.2
Nov. 3, 2021

Fixed an issue where creating or editing an input would fail in some cases

Version 2.0.1
March 18, 2021
Version 2.0.0
March 9, 2021
  • Re-write with python3
  • Support for Splunk8

NOTES: Please completely uninstall previous versions of this app before installing this on your splunk instance

Version 1.1.8
April 17, 2020

Adds Support for Splunk Cloud 7.3 by fixing appinspect errors preventing Splunk Cloud certification.
- Converts api key from unsecured to secured using Splunk's storage passwords API
- Creating a new input configuration and stream will not save the api key in your input.conf file
- To migrate your existing app and input configurations:
* Make sure you have your API ID and key written down or copied to a file before installation
* Install version 1.1.8 of the app
* Restart Splunk
* Visit https://\<your splunk address>/en-US/_bump and click the 'Bump version' button
* Your app config will be automatically updated when visiting the inputs page
* If you see the error message Warning! It appears your configuration is incomplete, so you will not be able to create any inputs. Please update your configuration. when first visiting the page after updating, try refreshing
* If that doesn't work, visit the configuration page and ensure your configuration is correct

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.