So I have the app setup right (I believe) with the server URL and an API token from my CB Reponse cluster. The reason that I believe I have it setup right is that I can perform successful binary and process searches from the 'Carbon Black Enterprise Response' drop down at the top left of the app. However, my main dashboard screen for that app shows 0 sensors reporting alerts, 0 alerts triggered, 0 banned hashes executed, and 0 master servers sending data. I know I've had alerts within CB during the time period that I've had this app installed/enabled as I spend half my day in the CB UI sifting through and resolving alerts. Is this a known bug, something misconfigured, and/or something I can easily fix myself? Would be nice to have it working so I could spend more time in Splunk instead of having to bounce back and forth. I am running 5.1.1 patch 3 on the CB response side, and Splunk 6.4.2 with the latest CB app from splunkbase. Thanks! (screenshot:https://imagebin.ca/v/2rfVOGApMQl4)
Hey, sorry, I totally forgot that I had even posted this since I never got a response. lol
So for me it ended up being that I was writing my CB data to a different index than main, and I was using a custom sourcetype as well on import for CIM purposes (and timestamp, since you have to specify where to look in the json data for timestamp or else Splunk defaults to the time it's imported to the index instead of the original time from the CB data itself). The definition in /opt/splunk/etc/apps/DA-ESS-CbResponse/default/macros.conf needed to be repointed to the index and sourcetype that my data actually was, in my case I was writing to the 'cb' index and was using a sourcetype of 'cb' as well, like the below:
definition = index="cb" sourcetype="cb"
Hope that helps
Hey, sorry, I totally forgot that I had even posted this since I never got a response. lol
So for me it ended up being that I was writing my CB data to a different index than main, and I was using a custom sourcetype as well on import for CIM purposes (and timestamp, since you have to specify where to look in the json data for timestamp or else Splunk defaults to the time it's imported to the index instead of the original time from the CB data itself). The definition in /opt/splunk/etc/apps/DA-ESS-CbResponse/default/macros.conf needed to be repointed to the index and sourcetype that my data actually was, in my case I was writing to the 'cb' index and was using a sourcetype of 'cb' as well, like the below:
definition = index="cb" sourcetype="cb"
Hope that helps
Thanks for taking the time, I was thinking it was something similar, I'll give that a try.
@mnamestnik, Want to "Accept" your solution? 🙂
Haha, I guess, why not? 😉
I have this same issue. Did you ever figure out how to fix it?