We just installed the Carbon Black Defense Add-on and are trying to configure it. The instructions say to go to Configuration->Set-up to enter some parameters. When I go to this page I just see the word "loading" and it keeps spinning and never loads.
Does anyone have any idea what is going on?
This is the Carbon Black Developer Relations team. I wanted to post an update here. This app was created with the Splunk Add on builder, so there isn't much we can try. We are in the process of communicating with our Splunk contacts and investigating this issue.
We are going to try recreating the App with the Add on builder and see if that fixes the issues.
Can we get some input on what versions of Splunk are being used?
@jlongeb: We learnt that this app cannot run on the Splunk cloud search head due to Splunk cloud specific restrictions. Instead Splunk recommended provisioning an Input Data Manager (IDM) , which is a managed heavy forwarder and to my understanding is included in you Splunk cloud license. You then install the CB app on the IDM and proceed as documented.
Best of luck. Cheers!
The Add-on doesn't have any real configuration other than configuring one or more modular inputs to splunk in the 'input' part of the Add-ons UI.
Start the Cb Defense Add-on in Splunk
Go to the "Inputs" tab - "Create new input" page and fill in the following fields:
Enter the API hostname for your Cb Defense instance in the url field - for most customers this will be "api5.conferdeploy.net". If unsure, contact your support representative.
Set apikey to your API key and the connector ID to your connector ID
Set "name" to anything (for example "cbdefense")
Set "interval" to 60 seconds (the polling interval of the Cb Defense notifications API)
Set "index" to whatever Splunk index you'd like the Add-On to place Cb Defense events into
The 2.X Add-on for Splunk supports as many rest-inputs as a user desires. If you would like to integrate with multiple Cb Defense Servers/Connectors simply define multiple inputs.
The Cb Defense Add-On for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your Cb Defense server, so the API key is stored securely on the Splunk server.
I also have this same issue. I even created a brand new Splunk server to test and it does the same thing. Install the Ad-On, restart Splunk, click on the add on link and it just sits there with a"loading" indicator but then never loads. It also eventually gives;
Unable to initialize modular input "carbonblack_defense" defined inside the app "TA-Cb_Defense": Introspecting scheme=carbonblack_defense: script running failed (exited with code 1).
Darla, did you ever get this issue resolved? Anyone else that may be able to assist?
Note: This add-on consumes Carbon Black event data from a JSON file. In order to get the Carbon Black event data into JSON format, you must download and run a utility from Bit9.
Did you do this?