Dashboards & Visualizations

Why isn't Vmware carbon black cloud app dashboards populating results?

bsanjeeva
Explorer

Hi 

We are using Vmware carbon black cloud app and the vmware logs are pulled from AWS s3 buckets. The index is having logs. However, the dashboards of the app when configured with same index is not working. Please help remediate.

Thanks

 

Labels (1)
0 Karma

chaker
Contributor

Hi @bsanjeeva ,

It's likley an index that is not searchable by default, or a macro needs to be updated to specify the indexes with the data.

Is this the app you are using? (VMware Carbon Black EDR On-Prem)

If so:

  1. Navigate to the Administration > Application Configuration menu, VMware EDR Base Configuration tab.

    1. Update the index names to those created above

    2. Click the Save Application Configuration button to enable the App

Otherwise, open a report panel from the app in search, if it contains macro's, use the CTRL-SHIFT-E shortcut to expand the search. The problem should become a bit more obvious at that point.

chaker
Contributor

I see that you are using the cloud app, not on prem, however similar solution most likley.

https://developer.carbonblack.com/reference/carbon-black-cloud/integrations/splunk-app/#app-setup-an...

 

  1. Create two Event index(s) for your data.

    • One index for the Carbon Black Cloud data e.g. carbonblackcloud
    • One index for the results of the Alert Actions e.g. vmware_actions

     

  2. Navigate to the Administration –> Application Configuration menu in the VMware Carbon Black Cloud App

  3. On the VMware CBC Base Configuration tab set the VMware CBC Base Index and VMware CBC Action Index to the index names from step 1 including index= e.g. index=carbonblackcloud

  4.  

bsanjeeva
Explorer

Hi @chaker ,

We have the app installed in splunk cloud and the app used is, https://splunkbase.splunk.com/app/5332/ . I have completed the app setup with index names, but still the dashboard is not working.

Thanks

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...