Carbon Black Cloud: Splunk App Alert Input returns 500 error Environment
book
Article ID: 291472
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Environment
- Carbon Black Cloud: All Versions
- Splunk App 5332: Version 1.1.0 - 1.1.1
- Alerts Input being used
Cause
Known issue in the Splunk app when the initial fetch of Alerts exceeds 10,000 alerts
Resolution
- Upgrade to the latest version of the Splunk App here as this is fixed in 1.1.2 if not possible try the following
- Delete the Alerts Input
- Create a new Alerts Input where the “Lookback (days)” field is set to 0
- Ideally give this input a slightly different name than the old one to identify the difference in info level logs
Additional Information
- From question 8 in the FAQ on the Splunk App
- Is there a limit to the number of alerts that are pulled on each sync?
- Yes, 10,000
- If your organization has more than 10,000 alerts each polling interval, you can:
- Tune alerts to reduce overall alert volume
- CB Analytics alerts that are known-good in your environment can be tuned from the Carbon Black Cloud console “Dismiss all future alerts” functionality
- Follow recommendations from here
- Modify the configured Alert Input
- Increase the minimum severity
- Use the Query to filter out alerts you aren’t finding value in
- Change the polling interval from the default of 300 seconds to 120 or 60 seconds
- Switch to ingesting Alerts via the Forwarder
Feedback
thumb_up
Yes
thumb_down
No