Environment
- Carbon Black Cloud: All versions
- VMware Carbon Black Cloud App for Splunk: 1.x
- Splunk: 8.x (Enterprise and Cloud Platform)
Objective
Information and data to collect to expedite support cases involving VMware Carbon Black Cloud App for Splunk and associated add-ons
Resolution
- Check for common issues
- There may be an existing document in the knowledge base. Refer to these common issues if applicable:
- Carbon Black Cloud: Splunk App Alert Input returns 500 error Environment
- Carbon Black Cloud: Splunk app user is not authenticated or receives error codes 401 or 403
- Carbon Black Cloud: Splunk fails to populate data
- Confirm that the correct apps/add-ons are deployed on the correct nodes:
- For example, the App and IA/TA must be installed on different nodes according to the deployment guide (see the "Distributed App Configuration" section)
- Confirm the correct API and Org keys are specified in the API Token Configuration
- These should match in the CBC console and Splunk app
- In the VMware Carbon Black Cloud App for Splunk interface, ensure the indices specified in the Base Configuration page have been created:
- The Base Index and Alert Action Index should be uniquely named
- If the items in Step 1 do not resolve the issue, prepare some details about the deployment before opening a case:
- Version of Splunk
- Which Splunk Platform: Enterprise (on-prem) or Cloud
- List of Splunk components (ie, IA, TA, IDM, etc)
- List CBC apps/add-on details
- Name and version of the installed apps/add-ons
- Which nodes are they installed to
- Gather the following data:
- Screenshots of all Splunk app configuration tabs
- Gather Splunk app logs: Carbon Black Cloud: How to fetch logs for VMware Carbon Black Cloud App for Splunk
- Run the following queries and collect both a screenshot and an export of the results
- Get a list of CBC Apps installed on the Splunk instance
- In the upper left of Splunk to go the “Apps” dropdown, select “Manage Apps”
- Search for “CB” and screenshot the results
- Open a case with Carbon Black Technical Support and provide a clear description of the issue with the info and data gathered in Steps 2 and 3
Related Content