Skip to content

Upgrade the Splunk Add-on for Carbon Black

The following upgrade steps provide a directory monitoring approach that ensures rolled-over JSON files are not missed if your Splunk platform deployment experiences downtime.

If your Splunk platform instance has been down, preventing the ingestion of files, switching from file monitoring to directory monitoring may cause a temporary spike in missed data ingestion.

Change File Monitoring to Directory Monitoring

  1. Download and install version 2.0.0 or higher of the Splunk Add-on for Carbon Black.
  2. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/local and open inputs.conf in a text editor.
  3. Update the monitoring path:
    • Change the existing path from <path_of_the_json_file> to <path_of_the_directory_containing_json_file>.
  4. Add a whitelist parameter:
    • Include whitelist = <regex_to_match_json_files>. Refer to the inputs.conf.template file in $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/default/ for guidance.
  5. Replace <regex_to_match_json_files> with a regular expression to monitor the required JSON files. For example, .*\.json(\.[\d\-T:\.a-z]*)? matches the following files:
    • event_bridge_output.json.2019-05-13T11:41:28.167.restart
    • event_bridge_output.json.20190417
    • event_bridge_output.json
  6. Save your changes to the inputs.conf file.
  7. Restart your data collection node to apply the changes.