Carbon Black Cloud: Splunk App Alert Input returns 500 error Environment
search cancel

Carbon Black Cloud: Splunk App Alert Input returns 500 error Environment

book

Article ID: 291472

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • After configuring an Alert Input, no alerts are indexed
  • Errors in eventtype="vmware_cbc_api_errors" showing
    “Received error code 500 from API”

Environment

  • Carbon Black Cloud: All Versions
  • Splunk App 5332: Version 1.1.0 - 1.1.1
  • Alerts Input being used

Cause

Known issue in the Splunk app when the initial fetch of Alerts exceeds 10,000 alerts

Resolution

  • Upgrade to the latest version of the Splunk App here as this is fixed in 1.1.2 if not possible try the following 
    1. Delete the Alerts Input 
    2. Create a new Alerts Input where the “Lookback (days)” field is set to 0 
      • Ideally give this input a slightly different name than the old one to identify the difference in info level logs

Additional Information

  • From question 8 in the FAQ on the Splunk App
    1. Is there a limit to the number of alerts that are pulled on each sync?
      • Yes, 10,000
      • If your organization has more than 10,000 alerts each polling interval, you can:
        • Tune alerts to reduce overall alert volume
          • CB Analytics alerts that are known-good in your environment can be tuned from the Carbon Black Cloud console “Dismiss all future alerts” functionality
          • Follow recommendations from here
        • Modify the configured Alert Input
          • Increase the minimum severity
          • Use the Query to filter out alerts you aren’t finding value in
          • Change the polling interval from the default of 300 seconds to 120 or 60 seconds
        • Switch to ingesting Alerts via the Forwarder