Carbon Black Cloud: Splunk App - Live Query Data Not Populating
search cancel

Carbon Black Cloud: Splunk App - Live Query Data Not Populating

book

Article ID: 288285

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Live Query Data Not Populating in Splunk

Environment

  • Carbon Black Cloud: All Versions
  • Carbon Black Cloud Splunk App 5332: Versions 1.0 - 1.1.1

Cause

By default, the result query is set to null/blank

Resolution

Under the "Live Query" tab within the Splunk App- add a result query to refine the results that will be ingested e.g. * for all results

Additional Information

https://developer.carbonblack.com/reference/carbon-black-cloud/integrations/splunk-app/
Powered by Wolken Software