Event data pulled from Splunk is several days old
search cancel

Event data pulled from Splunk is several days old

book

Article ID: 292392

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Splunk is configured to receive data via API from Carbon Black Cloud
  • Data arrives but appears to be several days old
  • There are no error messages to indicate an issue

Environment

  • Carbon Black Cloud: All versions
  • Carbon Black App for Splunk: 1.x
  • Splunk: 8.x

Cause

  • There is currently a 2,000 event limit for the VMware App for Splunk.
  • When there is a large backlog of events, the app cannot receive all of the data within the normal configuration parameters.

Resolution

  1. In the Carbon Black App for Splunk configuration, navigate to the Alerts Inputs tab
  2. Select an inputs entry to edit
  3. Reduce the Interval for data pulls. The default is 300 seconds
  4. Increasing the Minimum Severity can also reduce the number of data items to pull
Powered by Wolken Software