You must complete several procedures on the Splunk Server to enable use of Carbon Black App Control data for analytics. First, configure the Splunk Server to receive forwarder data on port 9997.
Procedure
- Log into the Splunk server as an administrator-level user.
- In the menu bar at the top of the Splunk console, choose Settings (Splunk 6) or Management (Splunk 5), then choose > Data > Forwarding and receiving, and in the Forwarding and receiving window, select Configure receiving.
- In the Receive data window, check to see whether port 9997 is configured. If not, click the New button, enter 9997 as the port to listen on, and click the Save button.
- In your firewall, create a rule to allow the Splunk Server to receive data on port 9997.
