All Apps and Add-ons

Why is VMware Carbon Black Cloud eventtypes not applying correctly?

poconnell_t
Engager

I'm having issues with eventtypes not correctly being applied from VMware Carbon Black Cloud ingest that I can't figure out, as each search in the chain successfully finds events. These are the three eventtypes that chain together. The first two apply correctly (vmware_cbc_base_index, vmware_cbc_alerts), but not the third (vmware_cbc_malware).

From eventtypes.conf:

 

 

[vmware_cbc_base_index]
search = index=carbonblack_audit

[vmware_cbc_alerts]
search = eventtype=vmware_cbc_base_index sourcetype="vmware:cbc:s3:alerts" OR sourcetype="vmware:cbc:alerts"

[vmware_cbc_malware]
search = eventtype=vmware_cbc_alerts threat_cause_threat_category="*MALWARE*" NOT threat_cause_threat_category="*NON_MALWARE*"

 
 When I use the search in the third eventtype (vmware_cbc_malware), I do get events. Search:
eventtype=vmware_cbc_alerts threat_cause_threat_category="*MALWARE*" NOT threat_cause_threat_category="*NON_MALWARE*"
| stats count by eventtype

  
eventtype count
vmware_cbc_alerts 65
vmware_cbc_base_index 65

Can anyone help me figure out why this third eventtype is not being applied?

 
Labels (2)
Tags (1)
0 Karma
1 Solution

poconnell_t
Engager

Sigh, nevermind, this was an issue with exports in default.meta.

View solution in original post

0 Karma

poconnell_t
Engager

Sigh, nevermind, this was an issue with exports in default.meta.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...