All Apps and Add-ons

Carbon Black TA and Cb Response App: Parsed field names don't match app dashboards?


Hello, our admins have the following app and TA installed per the integration video's instructions, however the field names do not seem to be aligned between the app and TA:

  • Carbon Black TA (Technogy Add-on) - this will allow Splunk to parse the events sent via the Cb Response Event Forwarder (above)
  • Cb Response App for Splunk - provides dashboards, workflow actions, and more to help visualize and explore Carbon Black data

For example, in the Cb Response Endpoint Status dashboard, the "Total Agents Seen" timeline is powered by the following search:

`cb` earliest=-7h |timechart dc(computer_name) |streamstats max("Total Agents Seen") as "Max Agents Seen"

The timeline is blank because computer_name does not appear as a field. Instead, it seems as though HostName is the parsed field name for us?

Similarly the Process Timeline dashboard is powered by the following search:

`cb` process_guid="$proc_guid$" | timechart span=30m count by type

But we do not see a field called process_guid.

If it helps, our field names look like the following:

Most of our field names do not use an underscore, they are instead camel case.

0 Karma

Path Finder

Catch 22 - if you go with the Cb Protect app from Carbon Black, you don't get CIM compliant tags, so it won't likely work with Enterprise Security. At least there's no mention that the Cb Protect app is CIM compliant.

0 Karma

Splunk Employee
Splunk Employee

Hi @TonyLeeVT - Did one of the answers below help provide a solution to your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

Path Finder

Hi @TonyLeeVT, the fields you're referencing are from Cb Protection (the former Bit9 product), but you're using the Cb Response App for Splunk.

You want the Cb Protection App for Splunk which is available here:

Hope this helps!

0 Karma



Can you give some details about your environment? Also where have you installed the TA?
This link refers to where the TA has to be added in case of distributed environment:

Let me know if this helps!!!

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...