All Apps and Add-ons

Set-up Page in Carbon Black Defense App just spins - what is wrong?

Communicator

Hi.

We just installed the Carbon Black Defense Add-on and are trying to configure it. The instructions say to go to Configuration->Set-up to enter some parameters. When I go to this page I just see the word "loading" and it keeps spinning and never loads.

Does anyone have any idea what is going on?

Thanks,
Darla

0 Karma

Path Finder

Hi,

This is the Carbon Black Developer Relations team. I wanted to post an update here. This app was created with the Splunk Add on builder, so there isn't much we can try. We are in the process of communicating with our Splunk contacts and investigating this issue.

We are going to try recreating the App with the Add on builder and see if that fixes the issues.

Can we get some input on what versions of Splunk are being used?

0 Karma

New Member

We're having the same issue. We're using Splunk Cloud - version info:
Splunk Version
7.0.13
Splunk Build
b6e41c05f519

0 Karma

Engager

@jlongeb: We learnt that this app cannot run on the Splunk cloud search head due to Splunk cloud specific restrictions. Instead Splunk recommended provisioning an Input Data Manager (IDM) [1], which is a managed heavy forwarder and to my understanding is included in you Splunk cloud license. You then install the CB app on the IDM and proceed as documented.

Best of luck. Cheers!

[1] https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/Admin/IntroGDI#Work_with_Inputs_Data_Manager...

0 Karma

New Member

Great to know! Thanks so much

0 Karma

Engager

Seeing this on Splunk cloud 7.0.9.1 with version 2.0.1 of the app. The Configuration and Search tabs loads fine, but the Inputs tab just shows the infinite spinner and the text "Loading."

0 Karma

New Member

Seeing this on version 7.0.3.4

0 Karma

New Member

The Add-on doesn't have any real configuration other than configuring one or more modular inputs to splunk in the 'input' part of the Add-ons UI.

GUI Configuration
Start the Cb Defense Add-on in Splunk
Go to the "Inputs" tab - "Create new input" page and fill in the following fields:
Enter the API hostname for your Cb Defense instance in the url field - for most customers this will be "api5.conferdeploy.net". If unsure, contact your support representative.
Set apikey to your API key and the connector ID to your connector ID
Set "name" to anything (for example "cbdefense")
Set "interval" to 60 seconds (the polling interval of the Cb Defense notifications API)
Set "index" to whatever Splunk index you'd like the Add-On to place Cb Defense events into
The 2.X Add-on for Splunk supports as many rest-inputs as a user desires. If you would like to integrate with multiple Cb Defense Servers/Connectors simply define multiple inputs.

The Cb Defense Add-On for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your Cb Defense server, so the API key is stored securely on the Splunk server.

0 Karma

Path Finder

I also have this same issue. I even created a brand new Splunk server to test and it does the same thing. Install the Ad-On, restart Splunk, click on the add on link and it just sits there with a"loading" indicator but then never loads. It also eventually gives;

Unable to initialize modular input "carbonblack_defense" defined inside the app "TA-Cb_Defense": Introspecting scheme=carbonblack_defense: script running failed (exited with code 1).

Darla, did you ever get this issue resolved? Anyone else that may be able to assist?

Thanks

0 Karma

Esteemed Legend

The dox here:
http://docs.splunk.com/Documentation/AddOns/latest/Bit9CarbonBlack/About

Say this:
Note: This add-on consumes Carbon Black event data from a JSON file. In order to get the Carbon Black event data into JSON format, you must download and run a utility from Bit9.

Did you do this?

0 Karma

Explorer

Just FYI - note that this does not apply to the Cb Defense Add-on. The Bit9-Carbon Black add-on is referring to what's now called Cb Response.

0 Karma

Communicator

Thanks. I feel like I'm not even ready for that yet. I first have to enter an API key in the "Setup" page I can't seem to get loaded.

0 Karma