All Apps and Add-ons

Carbon Black TA and Cb Response App: Parsed field names don't match app dashboards?


Hello, our admins have the following app and TA installed per the integration video's instructions, however the field names do not seem to be aligned between the app and TA:

  • Carbon Black TA (Technogy Add-on) - this will allow Splunk to parse the events sent via the Cb Response Event Forwarder (above)
  • Cb Response App for Splunk - provides dashboards, workflow actions, and more to help visualize and explore Carbon Black data

For example, in the Cb Response Endpoint Status dashboard, the "Total Agents Seen" timeline is powered by the following search:

`cb` earliest=-7h |timechart dc(computer_name) |streamstats max("Total Agents Seen") as "Max Agents Seen"

The timeline is blank because computer_name does not appear as a field. Instead, it seems as though HostName is the parsed field name for us?

Similarly the Process Timeline dashboard is powered by the following search:

`cb` process_guid="$proc_guid$" | timechart span=30m count by type

But we do not see a field called process_guid.

If it helps, our field names look like the following:

Most of our field names do not use an underscore, they are instead camel case.

0 Karma

Path Finder

Catch 22 - if you go with the Cb Protect app from Carbon Black, you don't get CIM compliant tags, so it won't likely work with Enterprise Security. At least there's no mention that the Cb Protect app is CIM compliant.

0 Karma

Splunk Employee
Splunk Employee

Hi @TonyLeeVT - Did one of the answers below help provide a solution to your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

Path Finder

Hi @TonyLeeVT, the fields you're referencing are from Cb Protection (the former Bit9 product), but you're using the Cb Response App for Splunk.

You want the Cb Protection App for Splunk which is available here:

Hope this helps!

0 Karma



Can you give some details about your environment? Also where have you installed the TA?
This link refers to where the TA has to be added in case of distributed environment:

Let me know if this helps!!!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...