Carbon Black Cloud: How to collect support data for CBC Splunk apps

Carbon Black Cloud: How to collect support data for CBC Splunk apps

Environment

  • Carbon Black Cloud: All versions
  • VMware Carbon Black Cloud App for Splunk: 1.x
  • Splunk: 8.x (Enterprise and Cloud Platform)

Objective

Information and data to collect to expedite support cases involving VMware Carbon Black Cloud App for Splunk and associated add-ons

Resolution

  1. Check for common issues
    1. There may be an existing document in the knowledge base. Refer to these common issues if applicable:
      1. Carbon Black Cloud: Splunk App Alert Input returns 500 error Environment
      2. Carbon Black Cloud: Splunk app user is not authenticated or receives error codes 401 or 403
      3. Carbon Black Cloud: Splunk fails to populate data
    2. Confirm that the correct apps/add-ons are deployed on the correct nodes:
      1. For example, the App and IA/TA must be installed on different nodes according to the deployment guide (see the "Distributed App Configuration" section)
    3. Confirm the correct API and Org keys are specified in the API Token Configuration
      1. These should match in the CBC console and Splunk app
    4. In the VMware Carbon Black Cloud App for Splunk interface, ensure the indices specified in the Base Configuration page have been created:
      1. The Base Index and Alert Action Index should be uniquely named
  2. If the items in Step 1 do not resolve the issue, prepare some details about the deployment before opening a case:
    1. Version of Splunk
    2. Which Splunk Platform: Enterprise (on-prem) or Cloud
    3. List of Splunk components (ie, IA, TA, IDM, etc)
    4. List CBC apps/add-on details
      1. Name and version of the installed apps/add-ons
      2. Which nodes are they installed to
  3. Gather the following data:
    1. Screenshots of all Splunk app configuration tabs
    2. Gather Splunk app logs: Carbon Black Cloud: How to fetch logs for VMware Carbon Black Cloud App for Splunk
    3. Run the following queries and collect both a screenshot and an export of the results
      • index="_internal" sourcetype="vmware:cbc:error"
        index="_internal" sourcetype="vmware:cbc:warning"
        eventtype="vmware_cbc_base_index" sourcetype="vmware:cbc:informational"
        eventtype="vmware_cbc_api_errors"
    4. Get a list of CBC Apps installed on the Splunk instance
      1. In the upper left of Splunk to go the “Apps” dropdown, select “Manage Apps”
      2. Search for “CB” and screenshot the results
  4. Open a case with Carbon Black Technical Support and provide a clear description of the issue with the info and data gathered in Steps 2 and 3

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎10-22-2021
Views:
113
Contributors