Carbon Black Cloud: Splunk fails to populate data
search cancel

Carbon Black Cloud: Splunk fails to populate data

book

Article ID: 290707

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Carbon Black data does not appear in Splunk dashboards interface
  • Splunk Indices show 0 entries
  • No relevant errors appear in the UI or backend logs

Environment

  • Carbon Black Cloud console: All versions
  • VMware Carbon Black Cloud App for Splunk: 1.x
  • Splunk: 8.x

Cause

Incorrect index is configured for Alerts Inputs

Resolution

  1. Log into Splunk and open VMware Carbon Black Cloud App for Splunk
  2. Open VMware CBC Base Configuration tab
  3. Verify name of VMware CBC Base Index
  4. Open Alerts Inputs tab
  5. Change Index listed for the Alerts Ingest Configuration to VMware CBC Base Index

Additional Information

The VMware CBC Base Configuration section also contains Alert Action Index, however this is for Splunk-generated alerts and should not be confused with incoming alerts from CBC
Powered by Wolken Software