logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Splunk fails to populate data

Carbon Black Cloud: Splunk fails to populate data

Environment

  • Carbon Black Cloud console: All versions
  • VMware Carbon Black Cloud App for Splunk: 1.x
  • Splunk: 8.x

Symptoms

  • Carbon Black data does not appear in Splunk dashboards interface
  • Splunk Indices show 0 entries
  • No relevant errors appear in the UI or backend logs

Cause

Incorrect index is configured for Alerts Inputs

Resolution

  1. Log into Splunk and open VMware Carbon Black Cloud App for Splunk
  2. Open VMware CBC Base Configuration tab
  3. Verify name of VMware CBC Base Index
  4. Open Alerts Inputs tab
  5. Change Index listed for the Alerts Ingest Configuration to VMware CBC Base Index

Additional Notes

The VMware CBC Base Configuration section also contains Alert Action Index, however this is for Splunk-generated alerts and should not be confused with incoming alerts from CBC

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎06-24-2021
Views:
605
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.