Skip to content

Troubleshoot the Splunk Add-on for Carbon Black

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons.

For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Event format issue – HEC Endpoint Configuration

If the event received in Splunk has the following structure: 

{
    "sourcetype": "<src_type>",
    "event": "<event>"
}

it indicates that the HTTP Event Collector (HEC) endpoint in the cb-event-forwarder.conf file is set to raw.

Solution

To correctly forward structured events, you must update the HEC endpoint from raw to event.

After making the above changes, restart the Carbon Black server for the changes to take effect:

```ini
systemctl restart cb-enterprise
systemctl restart cb-event-forwarder
```

General troubleshooting

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons.

For additional resources, see Support and resource links for add-ons in Splunk Add-ons.