- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- No data on CB app main dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I have the app setup right (I believe) with the server URL and an API token from my CB Reponse cluster. The reason that I believe I have it setup right is that I can perform successful binary and process searches from the 'Carbon Black Enterprise Response' drop down at the top left of the app. However, my main dashboard screen for that app shows 0 sensors reporting alerts, 0 alerts triggered, 0 banned hashes executed, and 0 master servers sending data. I know I've had alerts within CB during the time period that I've had this app installed/enabled as I spend half my day in the CB UI sifting through and resolving alerts. Is this a known bug, something misconfigured, and/or something I can easily fix myself? Would be nice to have it working so I could spend more time in Splunk instead of having to bounce back and forth. I am running 5.1.1 patch 3 on the CB response side, and Splunk 6.4.2 with the latest CB app from splunkbase. Thanks! (screenshot:https://imagebin.ca/v/2rfVOGApMQl4)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, sorry, I totally forgot that I had even posted this since I never got a response. lol
So for me it ended up being that I was writing my CB data to a different index than main, and I was using a custom sourcetype as well on import for CIM purposes (and timestamp, since you have to specify where to look in the json data for timestamp or else Splunk defaults to the time it's imported to the index instead of the original time from the CB data itself). The definition in /opt/splunk/etc/apps/DA-ESS-CbResponse/default/macros.conf needed to be repointed to the index and sourcetype that my data actually was, in my case I was writing to the 'cb' index and was using a sourcetype of 'cb' as well, like the below:
definition = index="cb" sourcetype="cb"
Hope that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, sorry, I totally forgot that I had even posted this since I never got a response. lol
So for me it ended up being that I was writing my CB data to a different index than main, and I was using a custom sourcetype as well on import for CIM purposes (and timestamp, since you have to specify where to look in the json data for timestamp or else Splunk defaults to the time it's imported to the index instead of the original time from the CB data itself). The definition in /opt/splunk/etc/apps/DA-ESS-CbResponse/default/macros.conf needed to be repointed to the index and sourcetype that my data actually was, in my case I was writing to the 'cb' index and was using a sourcetype of 'cb' as well, like the below:
definition = index="cb" sourcetype="cb"
Hope that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for taking the time, I was thinking it was something similar, I'll give that a try.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mnamestnik, Want to "Accept" your solution? 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haha, I guess, why not? 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this same issue. Did you ever figure out how to fix it?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
