How to collect support data for CBC Splunk apps
search cancel

How to collect support data for CBC Splunk apps

book

Article ID: 290145

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Information and data to collect to expedite support cases involving VMware Carbon Black Cloud App for Splunk and associated add-ons

Environment

  • Carbon Black Cloud: All versions
  • VMware Carbon Black Cloud App for Splunk: 1.x
  • Splunk: 8.x (Enterprise and Cloud Platform)

Resolution

  1. Check for common issues
    1. There may be an existing document in the knowledge base. Refer to these common issues if applicable:
      1. Splunk App Alert Input returns 500 error Environment
      2. Splunk app user is not authenticated or receives error codes 401 or 403
      3. Splunk fails to populate data
    2. Confirm that the correct apps/add-ons are deployed on the correct nodes:
      1. For example, the App and IA/TA must be installed on different nodes according to the deployment guide (see the "Distributed App Configuration" section)
    3. Confirm the correct API and Org keys are specified in the API Token Configuration
      1. These should match in the CBC console and Splunk app
    4. In the VMware Carbon Black Cloud App for Splunk interface, ensure the indices specified in the Base Configuration page have been created:
      1. The Base Index and Alert Action Index should be uniquely named
  2. If the items in Step 1 do not resolve the issue, prepare some details about the deployment before opening a case:
    1. Version of Splunk
    2. Which Splunk Platform: Enterprise (on-prem) or Cloud
    3. List of Splunk components (ie, IA, TA, IDM, etc)
    4. List CBC apps/add-on details
      1. Name and version of the installed apps/add-ons
      2. Which nodes are they installed to
  3. Gather the following data:
    1. Screenshots of all Splunk app configuration tabs
    2. Gather Splunk app logs: How to fetch logs for VMware Carbon Black Cloud App for Splunk
    3. Run the following queries and collect both a screenshot and an export of the results 
      • index="_internal" sourcetype="vmware:cbc:error"
index="_internal" sourcetype="vmware:cbc:warning"
eventtype="vmware_cbc_base_index" sourcetype="vmware:cbc:informational"
eventtype="vmware_cbc_api_errors"
    4. Get a list of CBC Apps installed on the Splunk instance
      1. In the upper left of Splunk to go the “Apps” dropdown, select “Manage Apps”
      2. Search for “CB” and screenshot the results
  4. Open a case with Carbon Black Technical Support and provide a clear description of the issue with the info and data gathered in Steps 2 and 3
Powered by Wolken Software