All Apps and Add-ons

Splunk Carbon Black Add-on not parsing json,Carbon Black Splunk Add-On not parsing JSON at all

chanjianming
New Member

Hi, I configure cbr cb-event-forwarder to output to Splunk via the following ways but over at splunk enterprise, the event receiving was of something like ###.....|....###...start...###{cb json}###end###.

Tried setup:
1) UF installed on CBR server, cb-event-forwarder output to file, UF monitor json file and forward to Splunk enterprise. Carbon black TA Add-On installed on Splunk enterprise. sourcetype is set correctly over at UF input.conf

2) CB event forwarder output to Splunk HEC, same issue

3) Verified that the CB Event logs does not contain ###...###, just the {cb json content}

5) Change sourcetype in input.conf as json, Splunk enterprise parses the json event correctly, just that not CIM mapped.

4)UF is linux, Splunk enterprise is on Windows.

Does Carbon black TA add on work on Windows Splunk? Please help.
,Hi, I have tried with 2 methods,

1) Install UF on Carbon Back response server, cb event forwarder event to JSON file, UF monitor and forward to indexer/search head. At UF side, has indicated the sourcetype correctly. At indexer side, I have the carbon black app add-on installed. Event receive at indexer side would start with ###....###...start..{json content}###...end...###

2) Same issue occur if i configure cb event forwarder to forward to splunk (HEC)

3) If Ii use native json sourcetype, I would see the json parse correctly, but not mapped to CIM

4) UF is linux, indexer is windows. However, I didnt encounter issue with both UF and indexer are linux.

What is wrong here?
Does CB Splunk add-on not run on windows splunk?

Please help.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...