EDR: The link_process field for some events end with /1 instead of a segment_id value in Splunk
Article ID: 289102
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
The link_process field for some events end with /1 instead of a segment_id value in Splunk
Example: https://<servername>/#/analyze/00008581-0000-0004-01d5-09286532aff2/1
Example: https://<servername>/#/analyze/00008581-0000-0004-01d5-09286532aff2/1
Environment
- EDR Server: All Versions
- CB-Event-Forwarder: All Versions
- Splunk
Cause
This is a product feature for those events that are sent directly to Splunk during ingestion instead of being processed and indexed by SOLR, which is when a segment_id is able to be attached.
Resolution
This is expected and there is no change that needs to be made to the product. Consider collecting events from the cb-event-forwarder that are generated after SOLR storage takes place as well as alerts.
Feedback
Yes
No
Powered by
