All Apps and Add-ons

No data on CB app main dashboard

mnamestnik
Explorer

So I have the app setup right (I believe) with the server URL and an API token from my CB Reponse cluster. The reason that I believe I have it setup right is that I can perform successful binary and process searches from the 'Carbon Black Enterprise Response' drop down at the top left of the app. However, my main dashboard screen for that app shows 0 sensors reporting alerts, 0 alerts triggered, 0 banned hashes executed, and 0 master servers sending data. I know I've had alerts within CB during the time period that I've had this app installed/enabled as I spend half my day in the CB UI sifting through and resolving alerts. Is this a known bug, something misconfigured, and/or something I can easily fix myself? Would be nice to have it working so I could spend more time in Splunk instead of having to bounce back and forth. I am running 5.1.1 patch 3 on the CB response side, and Splunk 6.4.2 with the latest CB app from splunkbase. Thanks! (screenshot:https://imagebin.ca/v/2rfVOGApMQl4)

0 Karma
1 Solution

mnamestnik
Explorer

Hey, sorry, I totally forgot that I had even posted this since I never got a response. lol

So for me it ended up being that I was writing my CB data to a different index than main, and I was using a custom sourcetype as well on import for CIM purposes (and timestamp, since you have to specify where to look in the json data for timestamp or else Splunk defaults to the time it's imported to the index instead of the original time from the CB data itself). The definition in /opt/splunk/etc/apps/DA-ESS-CbResponse/default/macros.conf needed to be repointed to the index and sourcetype that my data actually was, in my case I was writing to the 'cb' index and was using a sourcetype of 'cb' as well, like the below:

definition = index="cb" sourcetype="cb"

Hope that helps

View solution in original post

mnamestnik
Explorer

Hey, sorry, I totally forgot that I had even posted this since I never got a response. lol

So for me it ended up being that I was writing my CB data to a different index than main, and I was using a custom sourcetype as well on import for CIM purposes (and timestamp, since you have to specify where to look in the json data for timestamp or else Splunk defaults to the time it's imported to the index instead of the original time from the CB data itself). The definition in /opt/splunk/etc/apps/DA-ESS-CbResponse/default/macros.conf needed to be repointed to the index and sourcetype that my data actually was, in my case I was writing to the 'cb' index and was using a sourcetype of 'cb' as well, like the below:

definition = index="cb" sourcetype="cb"

Hope that helps

jamesbrock
Path Finder

Thanks for taking the time, I was thinking it was something similar, I'll give that a try.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

@mnamestnik, Want to "Accept" your solution? 🙂

0 Karma

mnamestnik
Explorer

Haha, I guess, why not? 😉

0 Karma

jamesbrock
Path Finder

I have this same issue. Did you ever figure out how to fix it?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...