Cisco FTD Unknown Field Search

Hi all,

I'm trying to figure out the best way I can build some dashboards or perform searches against the data field from the Cisco FTD integration. When I attempt to search any of the terms in this field nothing comes back. I tried before to set the integration to save the original message but this adds a lot to the log sizes. The best scenario would be treating the individual items in the field as their own unique fields. Any suggestions welcome.

Thank you,


Still working on this in case somebody has input. I've found that the mapping for the field is supposed to be flattened. It's appearing as unknown so it won't let me search it, but I'm not sure what this means. This integration if fleet managed. I tried to make a data view for it, and still the data appears as unknown.

Hi @cmenuey

What version of the stack?

Suppose to be ... what does the actual mapping show?

Appearing as unknown where?

How are you trying to search?

Give us some sample data, mappings and how you are trying to search and perhaps we can help... you have not provided enough detail for us to help.

